fix: prototype inheritance bug in decodeEncryptionContext (aws#216)

If the serialised encryption context contains a key-value pair where the key coincides with a property of Object.prototype, decodeEncryptionContext will incorrectly throw 'Error: Duplicate encryption context key value'.

The fix is to create the encryptionContext using Object.create(null) instead of the standard object initialiser.
This commit also adds a test vector in fixtures.ts, containing ‘hasOwnProperty’ as its only key.

Nota bene: This fix disables the standard calling of Object.prototype functions on encryption contexts returned by decodeEncryptionContext. In particular, it is no longer possible to call encryptionContext.hasOwnProperty(prop). However, due to the fix, one can use the simpler encryptionContext[prop] instead.

Author: PetarMax

modules/serialize/src/deserialize_factory.ts

@@ -197,7 +197,7 @@ export function deserializeFactory<Suite extends AlgorithmSuite> (
    * @param encodedEncryptionContext Uint8Array
    */
   function decodeEncryptionContext (encodedEncryptionContext: Uint8Array) {
-    const encryptionContext: EncryptionContext = {}
+    const encryptionContext: EncryptionContext = Object.create(null)
     /* Check for early return (Postcondition): The case of 0 length is defined as an empty object. */
     if (!encodedEncryptionContext.byteLength) {
       return encryptionContext

modules/serialize/test/deserialize_factory.test.ts

@@ -78,6 +78,17 @@ describe('deserializeFactory:decodeEncryptionContext', () => {
     expect(test).to.have.property('information')
       .and.to.eql('\u00bd + \u00bc = \u00be')
   })
+
+  it('Keys may be properties of Object.prototype, decodeEncryptionContext has to succeed', () => {
+    const { decodeEncryptionContext } = deserializeFactory(toUtf8, WebCryptoAlgorithmSuite)
+
+    /* hasOwnProperty test vector */
+    const encryptionContext = fixtures.hasOwnPropertyEncryptionContext().slice(2)
+
+    const test = decodeEncryptionContext(encryptionContext)
+    expect(test).to.have.property('hasOwnProperty')
+      .and.to.eql('arbitraryValue')
+  })
 })
 
 describe('deserializeFactory:deserializeEncryptedDataKeys', () => {

modules/serialize/test/fixtures.ts

@@ -77,6 +77,10 @@ export function duplicateKeysEncryptionContext () {
   return new Uint8Array([ 0, 43, 0, 4, 0, 11, 105, 110, 102, 111, 114, 109, 97, 116, 105, 111, 110, 0, 12, 194, 189, 32, 43, 32, 194, 188, 32, 61, 32, 194, 190, 0, 11, 105, 110, 102, 111, 114, 109, 97, 116, 105, 111, 110, 0, 12, 194, 189, 32, 43, 32, 194, 188, 32, 61, 32, 194, 190, 0, 4, 115, 111, 109, 101, 0, 6, 112, 117, 98, 108, 105, 99, 0, 4, 115, 111, 109, 101, 0, 6, 112, 117, 98, 108, 105, 99 ])
 }
 
+export function hasOwnPropertyEncryptionContext () {
+  return new Uint8Array([ 0, 34, 0, 1, 0, 14, 104, 97, 115, 79, 119, 110, 80, 114, 111, 112, 101, 114, 116, 121, 0, 14, 97, 114, 98, 105, 116, 114, 97, 114, 121, 86, 97, 108, 117, 101 ])
+}
+
 export function basicFrameIV () {
   return new Uint8Array([0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1])
 }