Page MenuHomePhabricator
Differential D13436

[keyserver] Avoid trusting FIDs passed from client in updateRelationships
ClosedPublic
Actions

Authored by ashoat on Mon, Sep 23, 10:34 PM.
Tags
None
Referenced Files
F2838868: D13436.diff
Sun, Sep 29, 12:00 AM
Unknown Object (File)
Fri, Sep 27, 5:29 PM
Unknown Object (File)
Wed, Sep 25, 1:29 AM
Unknown Object (File)
Wed, Sep 25, 1:29 AM
Unknown Object (File)
Wed, Sep 25, 1:29 AM
Unknown Object (File)
Wed, Sep 25, 1:01 AM
Subscribers
tomek

Details

Reviewers
varun
Commits
rCOMM2dba9fb9b5ed: [keyserver] Avoid trusting FIDs passed from client in updateRelationships
Summary

We first implemented this code in the Hackathon, and forgot to reconsider it later.

We should avoid trusting the user's claims about FIDs. Instead, we should query the identity service.

This diff avoids changing the API, but updates the implementation to ignore the FIDs passed by the client.

Depends on D13435

Test Plan

I haven't done this yet, but I need to confirm that the Farcaster mutual logic still works correctly

Diff Detail

Repository
rCOMM Comm
Lint
No Lint Coverage
Unit
No Test Coverage

Event Timeline

ashoat created this revision.Mon, Sep 23, 10:34 PM
Herald added a subscriber: tomek. · View Herald TranscriptMon, Sep 23, 10:34 PM
ashoat added a child revision: D13437: [keyserver][lib][native] Rename RelationshipRequest to LegacyRelationshipRequest.Mon, Sep 23, 10:34 PM
Harbormaster returned this revision to the author for changes because remote builds failed.Mon, Sep 23, 10:48 PM
Harbormaster failed remote builds in B31793: Diff 44459!
ashoat updated this revision to Diff 44470.Mon, Sep 23, 10:56 PM

Rebase

Harbormaster completed remote builds in B31804: Diff 44470.Mon, Sep 23, 11:43 PM
ashoat requested review of this revision.Mon, Sep 23, 11:43 PM
ashoat mentioned this in D13438: [keyserver] Rework updateRelationships on keyserver to use new API.Tue, Sep 24, 10:13 AM
ashoat mentioned this in D13441: [lib][native][web] Introduce useUpdateRelationships.
varun accepted this revision.Tue, Sep 24, 10:58 AM
This revision is now accepted and ready to land.Tue, Sep 24, 10:58 AM
Closed by commit rCOMM2dba9fb9b5ed: [keyserver] Avoid trusting FIDs passed from client in updateRelationships (authored by ashoat). · Explain WhyTue, Sep 24, 3:04 PM
This revision was automatically updated to reflect the committed changes.
ashoat added a commit: rCOMM2dba9fb9b5ed: [keyserver] Avoid trusting FIDs passed from client in updateRelationships.

Revision Contents
Changeset List

PathSize
keyserver/
src/
updaters/
54 lines

Diff 44459

View Options

keyserver/src/updaters/relationship-updaters.js

Loading...