Variable length string prefixes could lead to injection attack #18
Assignees
Labels
good first issue
Good for newcomers
Comments
|
I see we use these with a separator (which should alleviate the issue) in some places but not all |
This was referenced Jun 6, 2022
Repository owner
moved this from Waiting for review
to Done
in Replicated Security
Aug 2, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'm not 100% sure about this, but I think that the way we are using variable length string prefixes in the CCV module (for example: https://github.com/cosmos/interchain-security/blob/main/x/ccv/child/types/keys.go) could lead to a situation where an injection attack is possible.
Think about the (contrived) scenario where you have one set of record with keys made like this:
"bond" + <ID>and a set of records with keys made like this"bonded" + <ID>. If the user has some kind of control over the ID on the "bond" records, they could create a situation where the first bytes of the ID are the same as the letters "ed". This could allow them to insert records into the "bonded" set.I think we should use byte prefixes as is done in cosmos-sdk modules, or use iota to generate byte prefixes (we did this in gravity). Another option is to take string prefixes but hash or pad them.
The text was updated successfully, but these errors were encountered: