-
Notifications
You must be signed in to change notification settings - Fork 63
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Max len email addesses can be spoofed #70
Labels
Comments
Divide-By-0
changed the title
Max len emails can be spoofed
Max len email addesses can be spoofed
May 14, 2023
Divide-By-0
added
bug
Something isn't working
good first issue
Good for newcomers
medium
easy
labels
May 14, 2023
Would you be able to let me know which file needs to be modified? |
@Divide-By-0 Packing of regex reveal asserts that data after maxLen is zero (i.e nothing is truncated) - https://github.com/zkemail/zk-email-verify/blob/main/packages/circuits/utils/regex.circom#L45 This should fix the above issue? (assuming the regex for From email returns the whole email address which is more than maxlen) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Need to add a mitigation for the critical vulnerability where I can pretend to be another email address by making my email address <max_len_minus_10>@gmail.commydomain.com and <max_len_minus_10>@gmail.com reaches max_len so it truncates and thinks I'm the latter person.
Easy to fix by ensuring the array index via QuinSelector like this pseudocode:
message_id_regex_reveal[message_id_idx + max_message_id_len] === 0
The text was updated successfully, but these errors were encountered: