Validate the JSON data in load

lib/u2f/register_response.rb

@@ -20,6 +20,10 @@ def self.load_from_json(json)
         raise RegistrationError, code: data['errorCode']
       end
 
+      if !data.key?('clientData') || !data.key?('registrationData')
+        raise RegistrationError, message: 'Invalid JSON'
+      end
+
       instance = new
       instance.client_data_json =
         ::U2F.urlsafe_decode64(data['clientData'])

lib/u2f/sign_response.rb

@@ -4,6 +4,11 @@ class SignResponse
 
     def self.load_from_json(json)
       data = ::JSON.parse(json)
+      if !data.key?('clientData') || !data.key?('keyHandle') ||
+         !data.key?('signatureData')
+        raise Error, 'Missing required data'
+      end
+
       instance = new
       instance.client_data_json =
         ::U2F.urlsafe_decode64(data['clientData'])

spec/lib/register_response_spec.rb

@@ -28,6 +28,17 @@
     end
   end
 
+  context 'with invalid response' do
+    let(:registration_data_json) { '{}' }
+    it 'raises RegistrationError with code' do
+      expect {
+        register_response
+      }.to raise_error(U2F::RegistrationError) do |error|
+        expect(error.message).to eq('Invalid JSON')
+      end
+    end
+  end
+
   context 'with unpadded response' do
     let(:registration_data_json) { registration_data_json_without_padding }
     it 'does not raise "invalid base64" exception' do

spec/lib/sign_response_spec.rb

@@ -8,6 +8,17 @@
   let(:sign_response) { U2F::SignResponse.load_from_json json_response }
   let(:public_key_pem) { U2F::U2F.public_key_pem(device.origin_public_key_raw) }
 
+  context 'with invalid response' do
+    let(:json_response) { '{}' }
+    it 'raises error' do
+      expect {
+        sign_response
+      }.to raise_error(U2F::Error) do |error|
+        expect(error.message).to eq('Missing required data')
+      end
+    end
+  end
+
   describe '#counter' do
     subject { sign_response.counter }
     it { is_expected.to be device.counter }