assemblyscript-bson icon indicating copy to clipboard operation
assemblyscript-bson copied to clipboard
verified publisher icon nearprotocol

Is it secure?

Open KOLANICH opened this issue 7 years ago • 1 comments

https://github.com/WebAssembly/design/blob/master/Security.md

Although attackers cannot perform direct code injection attacks, it is possible to hijack the control flow of a module using code reuse attacks against indirect calls.

KOLANICH avatar Dec 10 '18 08:12 KOLANICH

Parser should be safe from buffer overruns as it's reads binary data from Uint8Buffer, which implements boundary checks: https://github.com/AssemblyScript/assemblyscript/blob/master/std/assembly/internal/typedarray.ts#L50

However note that its would still result in crash (of WA guest), so depending on your app attacker can be doing denial of service attack by sending invalid BSON.

It's not a problem in case of smart contracts for https://github.com/nearprotocol/nearcore, cause they are expected to have short execution time and fail fast on errors.

vgrichina avatar Dec 11 '18 05:12 vgrichina