[Golang] Add bounds-checked decoding functions #8244
Conversation
"Safe"-prepended "Get" decoding functions include bounds checking to avoid panics for situations where safety from untrusted inputs is critical and performance isn't as necessary. Does not modify existing functions, simply adds 15 new functions for each type of decoding available in `go/encode.go`. Does not include safety measures for decoding strings.
Correct buffer length check from 4 to 8
ricardonunez-io
changed the title
|
How is one supposed to use these functions? Ideally these would be used in safe variants of the generated code. Also, there is clearly some functional overlap with #8030 |
| // SafeGetBool first bounds checks the byte slice to ensure a length of 1 | ||
| // then decodes a little-endian bool from the byte slice | ||
| func SafeGetBool(buf []byte) (bool, error) { | ||
| if len(buf) != 1 { |
There was a problem hiding this comment.
Instead of checking the length exactly, this should probably be if len(buf) < 1 (same in other functions)
There was a problem hiding this comment.
Hi Jeroen! Thanks for the review.
Instead of checking the length exactly, this should probably be
if len(buf) < 1(same in other functions)
Wouldn't this cause this function to incorrectly pass the bounds check if buf is an empty slice and/or a slice of length n - 1 when checking for length n?
How is one supposed to use these functions? Ideally these would be used in safe variants of the generated code.
Yes, you're correct, these would have to be used in the generated code as safe options through a compiler flag, I missed that, I'll work on adding that to the Go code generator.
Also, there is clearly some functional overlap with #8030
There is definitely overlap in its utility, but verifier is more comprehensive in its implementation in verifying each table, buffer offsets, table depth/complexity, etc. and thus incurs more overhead.
These functions are to safely retrieve scalar values with as minimal overhead as possible, given that the original functions already force bounds checks but panic instead of throw.
However, let me know if you think the project would see further utility in these safe scalar retrieval functions, and I'll work on getting codegen working through an --include-safe flag.
Thank you!
"Safe"-prepended "Get" decoding functions in the Go package include bounds checking to avoid panics for situations where safety from untrusted inputs is critical and performance isn't as necessary.
Does not modify existing functions, simply adds 15 new functions for each type of decoding available in go/encode.go.
Does not include safety measures for decoding strings.