Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[security] Reliance on default encoding #488

Closed
duglin opened this issue Nov 8, 2022 · 3 comments · Fixed by #491
Closed

[security] Reliance on default encoding #488

duglin opened this issue Nov 8, 2022 · 3 comments · Fixed by #491

Comments

@duglin
Copy link
Contributor

duglin commented Nov 8, 2022

Description

Multiple instances were identified in which the getByte() standard Java API is used without specifying any encoding. Doing so causes the Java SDK to rely on the system default encoding, which can differ across platforms and systems used by event actors and cause unexpected differences in processing of event data.
The specification states that appropriate and RFC-compliant encodings MUST be followed, but the implementation in the Java SDK and documentation should be improved to highlight the importance of matching encoding across actors.
Not all observed instances are necessarily problematic, as they are handling binary data. However, this behavior should be documented and handled in the SDK implementation, documentation, and supplied examples.

import io.cloudevents.CloudEvent;
import io.cloudevents.core.builder.CloudEventBuilder;

import java.net.URI;

final CloudEvent event = CloudEventBuilder.v1()
    .withId("000")
    .withType("example.demo")
    .withSource(URI.create("http://example.com"))
    .withData("text/plain","Hello world!".getBytes())
    .build();

code

private byte[] getBinaryData(Message<?> message) {
     Object payload = message.getPayload();
     if (payload instanceof byte[]) {
       return (byte[]) payload;
     }
     else if (payload instanceof String) {
            return ((String) payload).getBytes(Charset.defaultCharset());
     }
     return null;
}

code

Exploit Scenario

The event producer, the intermediary (using the SDK), and the consumer use different default encodings for their systems. Without acknowledging a fixed encoding, the data is handled and processed using an unintended encoding, resulting in unexpected behavior.

Recommendations

Short term, improve the SDK documentation to highlight the importance of matching encoding acros actors.
Long term, review all similar instances across the SDK and improve test cases to cover handling of message and data encoding.

References

@duglin
Copy link
Contributor Author

duglin commented Nov 8, 2022

This was opened due to the Trail of Bits security review

@duglin
Copy link
Contributor Author

duglin commented Dec 8, 2022

@pierDipi any thoughts on this one?

duglin pushed a commit to duglin/sdk-java that referenced this issue Dec 8, 2022
duglin pushed a commit to duglin/sdk-java that referenced this issue Dec 8, 2022
duglin pushed a commit to duglin/sdk-java that referenced this issue Dec 8, 2022
duglin pushed a commit to duglin/sdk-java that referenced this issue Dec 8, 2022
@duglin
Copy link
Contributor Author

duglin commented Dec 8, 2022

@pierDipi see #491

pierDipi pushed a commit that referenced this issue Jan 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant