Section 3.1 of RFC 8152 defines a number of common COSE header parameters and their associated value types. Applications using the go-cose library may rely on COSE-defined headers decoded by the library to be of a specified type. For example, the COSE specification defines the content-type header to be of type either text string or unsigned integer. The go-cose library currently only validates the alg and crit parameters.
An application using go-cose to verify and validate incoming COSE messages may for example use the content-type header to index a map, expecting the content type to be a valid string or integer. If that assumption is violated, a malicious message may cause a panic in the receiver.
The lack of validation also allows users to serialize messages that will be rejected by other conforming COSE libraries - for example https://github.com/laurencelundblade/t_cose rejects messages with incorrect header types.
The implementation should validate common header types, and/or clearly document which headers are validated.
Section 3.1 of RFC 8152 defines a number of common COSE header parameters and their associated value types. Applications using the go-cose library may rely on COSE-defined headers decoded by the library to be of a specified type. For example, the COSE specification defines the content-type header to be of type either text string or unsigned integer. The go-cose library currently only validates the alg and crit parameters.
An application using go-cose to verify and validate incoming COSE messages may for example use the content-type header to index a map, expecting the content type to be a valid string or integer. If that assumption is violated, a malicious message may cause a panic in the receiver.
The lack of validation also allows users to serialize messages that will be rejected by other conforming COSE libraries - for example https://github.com/laurencelundblade/t_cose rejects messages with incorrect header types.
The implementation should validate common header types, and/or clearly document which headers are validated.