fix(webauthn): validate rp.id as a registrable domain suffix (fix #187)#189
Closed
AlfioEmanueleFresta wants to merge 2 commits into
Closed
fix(webauthn): validate rp.id as a registrable domain suffix (fix #187)#189AlfioEmanueleFresta wants to merge 2 commits into
AlfioEmanueleFresta wants to merge 2 commits into
Conversation
AlfioEmanueleFresta
changed the title
Member
Author
|
Closing in favour of a follow-up PR that introduces a PublicSuffixList trait and DatFilePublicSuffixList impl, per the design discussion in #173. The current implementation embeds the PSL via the psl crate, which contradicts the agreed-on design. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #187. Stacked on #188.
What
Replaces the strict-equality check between the JSON request's
rp.idand the origin's effective domain with the spec-correct "registrable domain suffix of or equal to" relation from HTML §6.5 (referenced by WebAuthn L3 §5.1.3 step 7 and §5.1.7 step 9).Net effect:
rp.id = "example.org"now works against an origin ofhttps://login.example.org, whilerp.id = "co.uk"againsthttps://example.co.ukis still correctly rejected becauseco.ukis a public suffix.Implementation
is_registrable_domain_suffix_or_equal(rp_id, effective_domain)in the origin module. Implements the HTML §6.5 algorithm: equality short-circuit, label-aligned suffix check, then PSL-based rejections (rp.id must not be the effective domain's public suffix and must not itself be a public suffix).from_idl_modelin bothget_assertion.rsandmake_credential.rs. Therelying_party_idstored on the parsed request is the JSON'srp.id(when present), which can now legitimately differ from the origin's host.pslcrate as a dep. PSL data is embedded at compile time, no runtime fetch (unlike thepublicsuffixv1.5 +List::fetch()approach in PR Implement #160 Related Origins support (WebAuthn L3 § 5.11) #173). Implement #160 Related Origins support (WebAuthn L3 § 5.11) #173 can adoptpsllater if it wants the same code path.Related-origin (§5.11) fallback is still a separate concern, tracked by #173 itself. The TODO comment in the code now points there.
Tests
comandco.uk), longer rp.id rejected, multi-label suffix accepted (bar.example.com->foo.bar.example.com), empty rejected.from_jsonfor bothMakeCredentialRequestandGetAssertionRequest: rp.id-as-parent-registrable-suffix accepted, rp.id-as-eTLD rejected.Test plan
cargo build --workspace --all-targets --all-featurescargo fmt --all -- --checkcargo clippy --workspace --all-targets --all-features -- -D warningscargo test --workspace(149 tests)cargo publish --dry-run -p libwebauthn