Submission Details
Severity:
Empty string can be set using `setPassword()`
Summary
Empty string can be stored as a new password
Vulnerability Details
setPassword(...) doesn't check if length of the stirng passed as new password is zero or not. That means an empty string can be passed as a new password.
Test for PoC
function test_empty_string_can_be_set_as_a_password() public {
vm.startPrank(owner);
string memory newPassword = "";
console2.log(bytes(newPassword).length);
passwordStore.setPassword(newPassword);
}
Output:
gitpod /workspace/2023-10-PasswordStore (main) $ forge test --mt test_empty_string_can_be_set_as_a_password -vv
[⠔] Compiling...
[⠑] Compiling 1 files with 0.8.18
[⠘] Solc 0.8.18 finished in 1.06s
Compiler run successful with warnings:
Warning (2018): Function state mutability can be restricted to view
--> test/PasswordStore.t.sol:38:5:
|
38 | function test_anyone_can_read_the_password() public {
| ^ (Relevant source part starts here and spans across multiple lines).
Running 1 test for test/PasswordStore.t.sol:PasswordStoreTest
[PASS] test_empty_string_can_be_set_as_a_password() (gas: 15187)
Logs:
0
Test result: ok. 1 passed; 0 failed; 0 skipped; finished in 1.39ms
Ran 1 test suites: 1 tests passed, 0 failed, 0 skipped (1 total tests)
Impact
Empty password should not be allowed as it gives bad User experience and also difficulty in integrating with frontend.
Tools Used
Manual Review
Recommendations
Add the following check:
function setPassword(string memory newPassword) external {
+ if(bytes(newPassword).length == 0){
+ revert PasswordStore__EmptyPasswordNotAllowed();
+ }
s_password = newPassword;
emit SetNetPassword();
}
Updates
Rewards breakdown
nSLOC
20This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.