-
Notifications
You must be signed in to change notification settings - Fork 206
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
zoe: Validate endoZipBase64 upon receipt #3878
Comments
Adding notes for myself: To protect users when they attempt to inspect the source code of contract installations, Installations do not always come directly from Zoe, however - in particular a dapp might send your wallet an alleged installation that has never gone through Zoe. In this, case, the user should check their installation with Zoe. A method to do this does not yet exist but is mentioned in issue #3344 I also need to learn more about what kinds of attacks through zip files are possible, so this may not cover all the attacks. Additionally, @kriskowal says that a different extension may help. |
Added:
|
/me surripitiously stuffs droste.zip and co back into its archive folder. |
@kriskowal We included this in the Mainnet 1 release, even though it is labeled MN-2. I'm removing the MN-2 label. If you think it really should be MN-2, please LMK. |
And I’ve posted a fib of 5 for this on the assumption that writing good tests is 4/5 of the effort. |
In #4751, we introduced We may want to also vet content-bundles at Zoe ingress as long as we support that feature, but it seems to me we can be lazy about that if Zoe stops accepting content-bundles before integrity checks become important (MN-3?). |
What is the Problem Being Solved?
Third-parties submit contracts to Zoe as bundles and Zoe creates an installation. The installation in turn vends out the bundle to any handle on the installation. This makes it possible for an attacker to install a contract with an arbitrary Zip file that another client would receive from the installation. Although Zoe is safe from malicious Zip files by virtue of using a very narrowly prescribed Zip file reader, the client does not benefit from the same protection. A crafted Zip file for example could be a small Zip file that expands to petabytes of data by exploiting compression, duplication, and recursion within the archive.
Description of the Design
To validate a bundle, Zoe would need only to attempt to extract it into memory with
@endo/zip
, which would balk at any file that uses compression or an end-of-archive comment. To go farther,@endo/zip
could be more weary about overlapping content regions or duplicate canonicalized file names. We should also go forward to ensure that every individual file in the archive is retained by name in the compartment-map.json, that its extension is consistent with its module type, and that it is a valid module of that type. We should keep in mind that the module types are likely to become extensible in the future and to somehow accommodate that. We should also assert that no files are executable.Security Considerations
Zoe should not be made vulnerable to hand-crafted malicious Zip files.
Test Plan
It should be sufficient to submit a variety of hand-crafted malicious Zip files, each exploiting one of the Zip format features that can lead to problems.
The text was updated successfully, but these errors were encountered: