utils: Fix bug in deepCompare which would incorrectly return objects with disjoint keys as equal #2586
Conversation
github-actions
bot
added
the
Z-Community-PR
|
3nprob
force-pushed
the
fix-deepcompare
branch
from
32f0f96
to
d4115f3
Compare
|
This function is used in these places in this repo. While it's involved in cryptographic key management I don't immediately see how this can become an actual security issue. Line 6265 in 9eb7290 |
|
@turt2live @richvdh (Since I see you as the users of this function when looking at the blame) |
|
hey @3nprob - thanks for the PR. Would it be possible to get a de-anonymized signoff on your PRs, or a form filled out with [email protected] (email) please? Thanks |
I'd rather stay pseudonymous for the time being. Invited you for DM on Matrix just now. I could take a look at the form - e-mail in the signoff should work. |
|
If you've invited me to a DM, I did not get it 😅 - I'm |
|
So we did have a brief chat just now. Unfortunately I had missed this before starting work: https://github.com/matrix-org/matrix-js-sdk/blob/develop/CONTRIBUTING.md#sign-off
I submit and make my patches available under the Apache License and have agreed to the DCO, which I have signed off on. Element is free to use these patches under the license, all I ask is that the license terms including attribution are followed. However, requiring contributors to doxx themselves (in a way legally recognized in the UK, I assume here) is not something I find comfortable with for a project such as this (which is kind of OT here; just explaining my rationale for any onlookers wondering why this is hanging). |
The existing code is asymmetric and checks one direction twice and never the other. Check out and run just the added regression cases and you should see them fail. |
|
For anyone wondering what the status is re the sign-off conversation above: Got put in touch with someone else from the Matrix Foundation and they came up with something that was acceptable so this PR should be good to go and they told me that this is now unblocked in that regard as of Wednesday last week. Also just rebased on current |
3nprob
force-pushed
the
fix-deepcompare
branch
2 times, most recently
from
feb02a1
to
1f17973
Compare
…with disjoint keys as equal
3nprob
force-pushed
the
fix-deepcompare
branch
from
1f17973
to
48cce65
Compare
|
Rebased on |
This test wrongly asserted that `initialSyncLimit` would be used to make a filter It is used only for the initial sync inline filter, and not in POST /filter
|
@3nprob my PR was related to the test failure, but not due to the code being buggy, but the test making the wrong assertions |
| if (y.hasOwnProperty(p) !== x.hasOwnProperty(p)) { | ||
| return false; | ||
| } | ||
| } | ||
|
|
||
| // finally, compare each of x's keys with y | ||
| for (p in y) { // eslint-disable-line guard-for-in |
There was a problem hiding this comment.
right, it was pointed out to me that this is the bug I couldn't see: y is meant to be x.
Or more precisely: The bug existed before and after your PR but some assertions were missing in the tests,making it go undetected. This PR added those assertions. |
|
Just curious; Why did e808e0f become part of this PR and not opened as its own? Looks like a completely separate issue and only tangentially related through the tests. The resulting commit e87ce87 makes it look like a single change. EDIT: Realized I prematurely deleted the branch on GH before fetching it... web archive mirror is not pretty but should work to distinguish in case the GH links stop. |
|
@3nprob it became part of this PR to get your tests passing, we squash merge by policy hence it becoming a single commit |
* Fix bug in deepCompare which would incorrectly return objects with disjoint keys as equal ([\matrix-org#2586](matrix-org#2586)). Contributed by @3nprob. * Refactor Sync and fix `initialSyncLimit` ([\matrix-org#2587](matrix-org#2587)). * Use deep equality comparisons when searching for outgoing key requests by target ([\matrix-org#2623](matrix-org#2623)). Contributed by @duxovni. * Fix room membership race with PREPARED event ([\matrix-org#2613](matrix-org#2613)). Contributed by @jotto.
Checklist
Type: Defect
Here's what your changelog entry will look like:
🐛 Bug Fixes