add ecdsa signature length security check

ambrosus · Apr 3, 2024 · 49f4802 · 49f4802
1 parent 6ea7e1f
commit 49f4802
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/shared/src/utils.rs b/shared/src/utils.rs
@@ -11,6 +11,8 @@ use std::{panic, path::PathBuf, str::FromStr, thread, time::Duration};
 
 use crate::common::{SBTRequest, WalletSignedMessage, WrappedCid};
 
+const RECOVERABLE_ECDSA_SIGNATURE_LENGTH: usize = 65;
+
 pub async fn load_config<T: DeserializeOwned>(root: &str) -> Result<T, ConfigError> {
     let root = PathBuf::from(root);
     let default = root.join("config/default");
@@ -147,6 +149,10 @@ pub fn recover_eth_address(
     let message_hash = keccak256_hash_message_with_eth_prefix(decoded_message);
 
     let signature = hex::decode(signed_message.sign)?;
+    if signature.len() != RECOVERABLE_ECDSA_SIGNATURE_LENGTH {
+        return Err(anyhow::Error::msg("Invalid signature length"));
+    }
+
     let recovery_id = RecoveryId::from_byte((signature[64] as i32 - 27) as u8)
         .ok_or_else(|| anyhow::Error::msg("Invalid reconvery param"))?;