Skip to content

Fixes passkeys validation errors#2916

Open
a2kolbasov wants to merge 3 commits into
keepassxreboot:developfrom
a2kolbasov:passkeys/validation-errors
Open

Fixes passkeys validation errors#2916
a2kolbasov wants to merge 3 commits into
keepassxreboot:developfrom
a2kolbasov:passkeys/validation-errors

Conversation

@a2kolbasov

@a2kolbasov a2kolbasov commented Mar 20, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

  1. length - the length in elements, byteLength - the length in bytes. Also length does not exist in ArrayBuffer. For ArrayBuffer validation is undefined < 16. But BigUint64Array requires 128 bytes to pass validation.

    https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/TypedArray
    https://www.w3.org/TR/webauthn-2/#sctn-cryptographic-challenges

  2. rp.id in PublicKeyCredentialCreationOptions, but rpId in PublicKeyCredentialRequestOptions

    https://www.w3.org/TR/webauthn-2/#idl-index

  3. strict ROR validation

    • Prevent tracking and non-domain requests
    • Checking response status code

    https://www.w3.org/TR/webauthn-3/#sctn-validating-relation-origin

Fixes #2915

Screenshots or videos

Testing strategy

  1. Manually via debugger
  2. Register and authenticate on https://webauthn.io/

Additional information, resources etc.

Type of change

  • ✅ Bug fix (non-breaking change that fixes an issue)

@a2kolbasov
[passkeys] Correcting errors in types
3278d71 
1. `length` - the length in elements, `byteLength` - the length in bytes. Also `length` does not exist in `ArrayBuffer`.
  - https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/TypedArray
  - https://www.w3.org/TR/webauthn-2/#sctn-cryptographic-challenges

2. `rp.id` in PublicKeyCredentialCreationOptions, but `rpId` in PublicKeyCredentialRequestOptions
  - https://www.w3.org/TR/webauthn-2/#idl-index
@a2kolbasov
[passkeys] strict ROR validation
0a2ff38 
- Prevent tracking and non-domain requests
- Checking response status code

https://www.w3.org/TR/webauthn-3/#sctn-validating-relation-origin
@varjolintu

varjolintu commented Mar 20, 2026

Copy link
Copy Markdown
Member

Validation of Related Origins is made in the KeePassXC side.

varjolintu
varjolintu reviewed Mar 20, 2026
View reviewed changes
Comment thread keepassxc-browser/content/passkeys-utils.js Outdated
droidmonkey
droidmonkey requested changes Mar 20, 2026
View reviewed changes
Comment thread keepassxc-browser/background/keepass.js
@a2kolbasov

a2kolbasov commented Mar 20, 2026

Copy link
Copy Markdown
Contributor Author

Validation of Related Origins is made in the KeePassXC side.

I'm not checking ROR. I'm checking the data for a GET request the same way you check the JSON<string[]> compliance of the response. (#2915 (comment))

varjolintu
varjolintu reviewed Mar 29, 2026
View reviewed changes
Comment thread keepassxc-browser/background/keepass.js
varjolintu
varjolintu reviewed Mar 30, 2026
View reviewed changes
Comment thread keepassxc-browser/background/keepass.js
let hostname;
try {
hostname = new URL(`https://${rpId}`).hostname;
} catch { }

@varjolintu varjolintu Mar 30, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should return already in here?

@a2kolbasov a2kolbasov Mar 30, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So there should be code duplication?

try {
  if (new URL(`https://${rpId}`).hostname !== rpId) {
    logError(`getRelatedOrigins error: "${rpId}" is wrong rpId`);
    return [];
  }
} catch {
  logError(`getRelatedOrigins error: "${rpId}" is wrong rpId`);
  return [];
}

@varjolintu varjolintu Mar 31, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Of course we want to handle the exception.

@a2kolbasov a2kolbasov Jun 18, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The error itself does not provide any useful information. The rpId may be incorrect both in case of an error and without one.

If an error occurs, the assignment operation will not be executed, and the hostname will be equal to undefined.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@varjolintu varjolintu varjolintu left review comments
@droidmonkey droidmonkey droidmonkey requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

There is no check on rpId to ensure it's a hostname

3 participants

@a2kolbasov @varjolintu @droidmonkey