bug: decoding fixed bytes into fixed array

[karalabe]

TL;DR: https://go.dev/play/p/pllZCYDLQ1G

When decoding a 31 byte array from CBOR into a [32]byte array in Go, the code currently sets the remaining items in Go to zero: https://github.com/fxamacker/cbor/blob/master/decode.go#L2391.

Now, this may be a design choice, but me trying to decode into a [32]byte kind of means I fully expect and want 32 bytes or a decode error. Silently padding with zeroes is IMO a potential security issue in certain systems because multiple different input data decodes to the same output struct.

[karalabe]

Seems a similar issue happens if the input is larger, just then the items are silently dropped: https://github.com/fxamacker/cbor/blob/master/decode.go#L2388

Isn't there a way to enforce string size matches?

[fxamacker]

Hi @karalabe thanks for opening this issue!

Currently, there are ways (workarounds) to enforce same length when decoding CBOR data to a Go array, but I think it would be convenient and more efficient to have a new decoding option for this.

Details

Now, this may be a design choice, but me trying to decode into a [32]byte kind of means I fully expect and want 32 bytes or a decode error. Silently padding with zeroes is IMO a potential security issue in certain systems because multiple different input data decodes to the same output struct.

Yes, it was a design choice to handle this the same way as Go's built-in JSON codec when decoding data to a Go array.

Go's built-in JSON codec decodes data to Go array as documented at golang/go like this:

 // To unmarshal a JSON array into a Go array, Unmarshal decodes 
 // JSON array elements into corresponding Go array elements. 
 // If the Go array is smaller than the JSON array, 
 // the additional JSON array elements are discarded. 
 // If the JSON array is smaller than the Go array, 
 // the additional Go array elements are set to zero values. 

Isn't there a way to enforce string size matches?

Yes, there are some ways (see "Workarounds" below), but they have some disadvantages compared to adding and using a new decoding option.

For decoding a CBOR data item to a Go array, I'm open to adding a new decoding option to enforce length match, provided the default decoding behavior continues to match Go's built-in JSON codec.

Workarounds

Until the new decoding option is added, here are some ways to enforce length:

• A simple workaround would be to decode to a Go slice (instead of Go array), and then verify if the slice length matches the expected length.

• A reusable workaround is to implement cbor.Unmarshaler interface for the user defined type for the Go array. In the UnmarshalCBOR([]byte), we can decode data to a Go slice, return error if decoded length is not the expected length, etc. Example at go.dev/play.

Status

Given this works as designed to match the behavior of Go's built-in JSON decoder, I'd like to change this from a "bug" to "feature" request and keep this issue open until the decoding setting is added.

Thanks again for opening this issue. Please let me know if this works for you, etc.