X-Git-Url: http://git.squeep.com/?a=blobdiff_plain;f=lib%2Fmystery-box.js;h=2343c5e164f79f9d04629a97c366a1fbd0f58595;hb=b9782b5dfca21a6da610eebf8bd7207f10256fbf;hp=be12245538fd966172e88b5f7266dd0a4d949a45;hpb=044615f53bacdc366b44941218d808c549607469;p=squeep-mystery-box diff --git a/lib/mystery-box.js b/lib/mystery-box.js index be12245..2343c5e 100644 --- a/lib/mystery-box.js +++ b/lib/mystery-box.js @@ -3,6 +3,7 @@ const crypto = require('crypto'); const zlib = require('zlib'); const { promisify } = require('util'); +const { base64ToBase64URL, base64URLToBase64 } = require('@squeep/base64url'); const common = require('./common'); const allVersions = require('./version-parameters'); const { performance } = require('perf_hooks'); @@ -183,7 +184,7 @@ class MysteryBox { const tag = cipher.getAuthTag(); const merged = Buffer.concat([versionBuffer, flagsBuffer, iv, salt, tag, encrypted, final]).toString('base64'); - const result = common.base64ToBase64URL(merged); + const result = base64ToBase64URL(merged); timingsMs.end = timingsMs.postCrypt = performance.now(); this.logger.debug(_scope, 'statistics', { version, flags: this._prettyFlags(flags), serialized: contents.length, compressed: payload.length, encoded: result.length, ...MysteryBox._timingsLog(timingsMs) }); @@ -208,7 +209,11 @@ class MysteryBox { end: 0, }; - const raw = Buffer.from(common.base64URLToBase64(box), 'base64'); + if (!box) { + throw new RangeError('nothing to unpack'); + } + + const raw = Buffer.from(base64URLToBase64(box), 'base64'); let offset = 0; const version = raw.slice(offset, 1).readUInt8(0); @@ -219,6 +224,11 @@ class MysteryBox { const v = this.versionParameters[version]; offset += v.versionBytes; + const minBytes = v.versionBytes + v.flagsBytes + v.ivBytes + v.saltBytes + v.tagBytes; + if (raw.length < minBytes) { + throw new RangeError('not enough to unpack'); + } + const flags = raw.slice(offset, offset + v.flagsBytes).readUInt8(0); offset += v.flagsBytes;