Fix: invalid consent strings missing legit interest section causes panic (#39)

Author: sebmil-daily

vendorconsent/tcf2/bitfield.go

@@ -7,7 +7,8 @@ import (
 func parseBitField(metadata ConsentMetadata, vendorBitsRequired uint16, startbit uint) (*consentBitField, uint, error) {
 	data := metadata.data
 
-	bytesRequired := (uint(vendorBitsRequired) + startbit) / 8
+	// add 7 to force rounding to next integer value
+	bytesRequired := (uint(vendorBitsRequired) + startbit + 7) / 8
 	if uint(len(data)) < bytesRequired {
 		return nil, 0, fmt.Errorf("a BitField for %d vendors requires a consent string of %d bytes. This consent string had %d", vendorBitsRequired, bytesRequired, len(data))
 	}

vendorconsent/tcf2/bitfield_test.go

@@ -31,3 +31,12 @@ func TestBitField(t *testing.T) {
 		assertBoolsEqual(t, ok, consent.VendorConsent(i))
 	}
 }
+
+func TestParseBitFieldRounding(t *testing.T) {
+	// crafted metadata to have 232 bits of data
+	data := make([]byte, 29)
+	metadata := ConsentMetadata{data: data}
+	// having 3 vendors with 230 bits of header should require 30 bytes of data (233 bits rounded to upper byte)
+	_, _, err := parseBitField(metadata, 3, 230)
+	assertError(t, err)
+}

vendorconsent/tcf2/consent.go

@@ -2,6 +2,7 @@ package vendorconsent
 
 import (
 	"encoding/base64"
+	"fmt"
 	"strings"
 
 	"github.com/prebid/go-gdpr/api"
@@ -49,6 +50,7 @@ func Parse(data []byte) (api.VendorConsents, error) {
 	var legitIntStart uint
 	var pubRestrictsStart uint
 	// Bit 229 determines whether or not the consent string encodes Vendor data in a RangeSection or BitField.
+	// We know from parseMetadata that we have at least 29*8=232 bits available
 	if isSet(data, 229) {
 		vendorConsents, legitIntStart, err = parseRangeSection(metadata, metadata.MaxVendorID(), 230)
 	} else {
@@ -65,6 +67,9 @@ func Parse(data []byte) (api.VendorConsents, error) {
 		return nil, err
 	}
 
+	if legitIntStart+16 >= uint(len(data))*8 {
+		return nil, fmt.Errorf("invalid consent data: no legitimate interest start position")
+	}
 	if isSet(data, legitIntStart+16) {
 		vendorLegitInts, pubRestrictsStart, err = parseRangeSection(metadata, legIntMaxVend, metadata.vendorLegitimateInterestStart)
 	} else {

vendorconsent/tcf2/consent_test.go

@@ -0,0 +1,17 @@
+package vendorconsent
+
+import (
+	"testing"
+)
+
+func TestParseLegitIntSetWithBitField(t *testing.T) {
+	// this test uses a crafted consent uses bit field, declares 10 vendors and legitimate interest without required content
+	_, err := Parse(decode(t, "COvcSpYOvcSpYC9AAAENAPCAAAAAAAAAAAAAAFAAAAA"))
+	assertError(t, err)
+}
+
+func TestParseLegitIntSetWithRangeSection(t *testing.T) {
+	// this test uses a crafted consent uses range section, declares 10 vendors, 6 exceptions and legitimate interest without required content
+	_, err := Parse(decode(t, "COvcSpYOvcSpYC9AAAENAPCAAAAAAAAAAAAAAFQBgAAgABAACAAEAAQAAgAA"))
+	assertError(t, err)
+}

vendorconsent/tcf2/test_utils.go

@@ -33,6 +33,12 @@ func assertNilError(t *testing.T, err error) {
 	}
 }
 
+func assertError(t *testing.T, err error) {
+	if err == nil {
+		t.Fatal("Expected error but got none")
+	}
+}
+
 func assertStringsEqual(t *testing.T, expected string, actual string) {
 	t.Helper()
 	if actual != expected {