Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verify WebAuthn Signature Encoding #388

Merged
merged 7 commits into from
Apr 22, 2024
Merged

Verify WebAuthn Signature Encoding #388

merged 7 commits into from
Apr 22, 2024

Conversation

nlordell
Copy link
Collaborator

This PR adds logic to verify the WebAuthn signature encoding length. This is done so that encodings have a strict upper bound (determined by the 'standard' ABI encoding of the WebAuthn.Signature struct) on the length of the signatures.

This prevents a potential griefing attack where the signature that is sent to an ERC-4337 bundler could be arbitrarily padded with additional 0s (which would have trivial increases to the calldatasize with onchain LZMA calldata decompression that already exists) while causing accounts to pay significantly more in gas costs for signature verification (bounded by the verificationGasLimit).

@nlordell nlordell requested a review from a team as a code owner April 17, 2024 12:30
@nlordell nlordell requested review from akshay-ap, mmv08 and remedcu and removed request for a team April 17, 2024 12:30
@coveralls
Copy link

coveralls commented Apr 17, 2024
edited
Loading

Pull Request Test Coverage Report for Build 8781835032

Details

  • 11 of 11 (100.0%) changed or added relevant lines in 1 file are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage increased (+0.4%) to 87.059%
Totals Coverage Status
Change from base Build 8735258562: 0.4%
Covered Lines: 113
Relevant Lines: 120
💛 - Coveralls

@mmv08 mmv08 force-pushed the check-signature-length branch 2 times, most recently from 3a651eb to 3030223 Compare April 19, 2024 09:12
@nlordell nlordell force-pushed the check-signature-length branch from 3030223 to c8c08f1 Compare April 22, 2024 09:35
@nlordell nlordell merged commit a3de03a into main Apr 22, 2024
16 checks passed
@nlordell nlordell deleted the check-signature-length branch April 22, 2024 11:50
@github-actions github-actions bot locked and limited conversation to collaborators Apr 22, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@mmv08 mmv08 mmv08 approved these changes

@akshay-ap akshay-ap Awaiting requested review from akshay-ap akshay-ap is a code owner automatically assigned from safe-global/safe-protocol

@remedcu remedcu Awaiting requested review from remedcu remedcu is a code owner automatically assigned from safe-global/safe-protocol

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@nlordell @coveralls @mmv08