Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Max len email addesses can be spoofed #70

Open
Divide-By-0 opened this issue May 14, 2023 · 3 comments · May be fixed by #107
Open

Max len email addesses can be spoofed #70

Divide-By-0 opened this issue May 14, 2023 · 3 comments · May be fixed by #107
Labels
bug Something isn't working easy good first issue Good for newcomers medium

Comments

@Divide-By-0
Copy link
Member

Divide-By-0 commented May 14, 2023

Need to add a mitigation for the critical vulnerability where I can pretend to be another email address by making my email address <max_len_minus_10>@gmail.commydomain.com and <max_len_minus_10>@gmail.com reaches max_len so it truncates and thinks I'm the latter person.

Easy to fix by ensuring the array index via QuinSelector like this pseudocode:
message_id_regex_reveal[message_id_idx + max_message_id_len] === 0

@Divide-By-0 Divide-By-0 changed the title Max len emails can be spoofed Max len email addesses can be spoofed May 14, 2023
@Divide-By-0 Divide-By-0 added bug Something isn't working good first issue Good for newcomers medium easy labels May 14, 2023
@Coollaitar
Copy link

Would you be able to let me know which file needs to be modified?

@lonerapier lonerapier linked a pull request Sep 20, 2023 that will close this issue
@saleel
Copy link
Member

saleel commented Apr 19, 2024

@Divide-By-0 Packing of regex reveal asserts that data after maxLen is zero (i.e nothing is truncated) - https://github.com/zkemail/zk-email-verify/blob/main/packages/circuits/utils/regex.circom#L45

This should fix the above issue? (assuming the regex for From email returns the whole email address which is more than maxlen)

@prkpndy
Copy link

prkpndy commented Nov 24, 2024

Hey. I attended the zkemail session at Devcon and want to contribute to the project.
Can I pick this up as my first issue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working easy good first issue Good for newcomers medium
Projects
Status: No status
Development

Successfully merging a pull request may close this issue.

4 participants