fix(verify): reject unsupported receiptVersion values (closes #53)#9
Open
akuraposo wants to merge 1 commit into
Open
fix(verify): reject unsupported receiptVersion values (closes #53)#9akuraposo wants to merge 1 commit into
akuraposo wants to merge 1 commit into
Conversation
The local reference verifier only checked `receiptVersion` as a required signed field, not as a required v1 constant. A signed, unexpired receipt with `receiptVersion: "v2"` (or any other unsupported value) was accepted by `pp verify` as long as `canonicalization` was `jcs_v1`, `signatureAlg` was `ed25519`, the signature verified, and the receipt was not expired or revoked. That means a verifier claiming `pp-receipt-v1` compatibility could silently accept receipts from an unsupported receipt-version namespace, downgrading the local trust boundary. This patch adds an explicit `receiptVersion === 'v1'` check (matching the v1 spec) and fails closed with a `MALFORMED_RECEIPT` error if any other value is supplied. - Added `RECEIPT_VERSION = 'v1'` constant in `src/verify.ts` - Added explicit version check after the canonicalization check - Added regression test that forges receiptVersion='v2' on a valid receipt and expects MALFORMED_RECEIPT - All 6 tests pass (5 pre-existing + 1 new) - `npm run build` clean Closes #53
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #53: the local reference verifier in
pp-clionly checkedreceiptVersionas a required signed field, not as a required v1constant. A signed, unexpired receipt with
receiptVersion: "v2"(orany other unsupported value) was accepted by
pp verifyas long ascanonicalizationwasjcs_v1,signatureAlgwased25519, thesignature verified, and the receipt was not expired or revoked.
That means a verifier claiming
pp-receipt-v1compatibility couldsilently accept receipts from an unsupported receipt-version
namespace, downgrading the local trust boundary.
Fix
Added a
RECEIPT_VERSION = 'v1'constant insrc/verify.tsand anexplicit version check after the canonicalization check. The
verifier now fails closed with
MALFORMED_RECEIPTand exit code 3if any value other than
"v1"is supplied.The constant value matches the v1 receipt spec at
https://github.com/permission-protocol/receipt-spec, which states:
Validation
npm test -- --run— all 6 tests pass (5 pre-existing + 1 newregression test that forges
receiptVersion: "v2"on a validreceipt and expects
MALFORMED_RECEIPT)npm run build— cleangit diff --check— cleanBounty
Submitted for assessment under #36 as a distinct Ed25519
verification-flow flaw. Payout details can be provided privately
after validation.