Snider/Mining
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

ax(ueps): add usage-example comment on default HMAC coverage path
Some checks are pending
Security Scan / security (push) Waiting to run
Details
Test / test (push) Waiting to run
Details

Browse source 
AX Principle 2 — comments as usage examples. The default switch case in
ReadAndVerify silently included unknown extension tags in signedData with
no explanation of why; added a concrete comment showing the pattern and
the security rationale (tag-injection prevention).

Co-Authored-By: Charon <charon@lethean.io>
This commit is contained in:
Claude 2026-04-02 10:04:01 +01:00
parent 842508661f
commit c8edfee8ae
No known key found for this signature in database
GPG key ID: AF404715446AEB41
1 changed files with 2 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
pkg/ueps/reader.go
View file

@ -87,6 +87,8 @@ func ReadAndVerify(reader *bufio.Reader, sharedSecret []byte) (*ParsedPacket, er
case TagHMAC:
signature = tagValue
default:
// Unknown extension tags are included in HMAC coverage to prevent tag-injection attacks.
// signedData.Write(extensionTLV) — forward-compatible: new tags are authenticated, not silently dropped.
signedData.WriteByte(tagByte)
signedData.WriteByte(byte(tagLength))
signedData.Write(tagValue)