Check file name charset when parsing manifests. (#320)

This PR introduces checking of the content of file names in a manifest during parsing. This fixes a crash when later code assumes that the file names only contain ASCII characters and otherwise panics. This PR fixes Routinator CVE-2025-0638.
NLnetLabs · Jan 22, 2025 · ce5f033 · ce5f033
1 parent 0f83469
commit ce5f033
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 4 deletions.
diff --git a/src/repository/manifest.rs b/src/repository/manifest.rs
@@ -420,10 +420,7 @@ impl FileAndHash<Bytes, Bytes> {
         cons: &mut decode::Constructed<S>
     ) -> Result<Option<()>, DecodeError<S::Error>> {
         cons.take_opt_sequence(|cons| {
-            cons.take_value_if(
-                Tag::IA5_STRING,
-                OctetString::from_content
-            )?;
+            let _ = Ia5String::take_from(cons)?;
             BitString::skip_in(cons)?;
             Ok(())
         })
@@ -556,6 +553,20 @@ mod test {
             "../../test-data/repository/serde-compat/manifest.json"
         )).unwrap();
     }
+
+    #[test]
+    fn charset_violation() {
+        assert!(
+            Manifest::decode(
+                // This manifest is identical to ta.mft but has a non-ASCII
+                // character in the manifest filenames.
+                include_bytes!(
+                    "../../test-data/repository/ta.mft.bad-filename"
+                ).as_ref(),
+                false,
+            ).is_err()
+        );
+    }
 }
 
 #[cfg(all(test, feature = "softkeys"))]

diff --git a/test-data/repository/ta.mft.bad-filename b/test-data/repository/ta.mft.bad-filename