suzanne.soy/fork-openpgpjs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request from GHSA-ch3c-v47x-4pgp

Browse Source 
Reject cleartext messages with extraneous data preceeding hash header
This commit is contained in:
larabr 2023-08-29 16:49:28 +02:00 committed by GitHub
commit 6b43e02a25
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 27 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/cleartext.js
View File

@ -174,7 +174,7 @@ function verifyHeaders(headers, packetlist) {
let oneHeader = null; let oneHeader = null;
let hashAlgos = []; let hashAlgos = [];
headers.forEach(function(header) { headers.forEach(function(header) {
oneHeader = header.match(/Hash: (.+)/); // get header value oneHeader = header.match(/^Hash: (.+)$/); // get header value
if (oneHeader) { if (oneHeader) {
oneHeader = oneHeader[1].replace(/\s/g, ''); // remove whitespace oneHeader = oneHeader[1].replace(/\s/g, ''); // remove whitespace
oneHeader = oneHeader.split(','); oneHeader = oneHeader.split(',');

26
test/general/signature.js
View File

@ -999,6 +999,32 @@ eSvSZutLuKKbidSYMLhWROPlwKc2GU2ws6PrLZAyCAel/lU=
expect(await sigInfo.verified).to.be.true; expect(await sigInfo.verified).to.be.true;
}); });
it('Reject cleartext message with arbitrary text added around hash headers (spoofed cleartext message)', async function() {
await expect(openpgp.readCleartextMessage({ cleartextMessage: `-----BEGIN PGP SIGNED MESSAGE-----
This is not signed but you might think it is Hash: SHA512
This is signed
-----BEGIN PGP SIGNATURE-----
wnUEARYKACcFgmTsqxgJkEhlqJkkhIfRFiEEUA/OS4xZ3EwNC5l8SGWomSSE
h9EAALyPAQDDR0IYwq/5XMVSYPWojBamM4NhcP5arA656ALIq9cJYAEAlw0H
Fk7EflUZzngwY4lBzYAfnNBjEjc30xD/ddo+rwE=
=O7mt
-----END PGP SIGNATURE-----` })).to.be.rejectedWith(/Only "Hash" header allowed/);
await expect(openpgp.readCleartextMessage({ cleartextMessage: `-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512\vThis is not signed but you might think it is
This is signed
-----BEGIN PGP SIGNATURE-----
wnUEARYKACcFgmTsqxgJkEhlqJkkhIfRFiEEUA/OS4xZ3EwNC5l8SGWomSSE
h9EAALyPAQDDR0IYwq/5XMVSYPWojBamM4NhcP5arA656ALIq9cJYAEAlw0H
Fk7EflUZzngwY4lBzYAfnNBjEjc30xD/ddo+rwE=
=O7mt
-----END PGP SIGNATURE-----` })).to.be.rejectedWith(/Unknown hash algorithm in armor header/);
});
it('Supports non-human-readable notations', async function() { it('Supports non-human-readable notations', async function() {
const { packets: [signature] } = await openpgp.readSignature({ armoredSignature: signature_with_non_human_readable_notations }); const { packets: [signature] } = await openpgp.readSignature({ armoredSignature: signature_with_non_human_readable_notations });
// There are no human-readable notations so `notations` property does not // There are no human-readable notations so `notations` property does not