From 33684e356f1f2fdcd99b2fb85fcc5d52223769a0 Mon Sep 17 00:00:00 2001
From: Jacob Heun <jacobheun@gmail.com>
Date: Wed, 22 Aug 2018 21:58:24 +0200
Subject: [PATCH] fix(security): ensure validate is properly checking verify
 status

---
 src/index.js       |  4 ++--
 test/index.spec.js | 24 +++++++++++++++++++++++-
 2 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/src/index.js b/src/index.js
index 419ef12..86950c4 100644
--- a/src/index.js
+++ b/src/index.js
@@ -72,8 +72,8 @@ const validate = (publicKey, entry, callback) => {
   const dataForSignature = ipnsEntryDataForSig(value, validityType, validity)
 
   // Validate Signature
-  publicKey.verify(dataForSignature, entry.signature, (err) => {
-    if (err) {
+  publicKey.verify(dataForSignature, entry.signature, (err, isValid) => {
+    if (err || !isValid) {
       log.error('record signature verification failed')
       return callback(Object.assign(new Error('record signature verification failed'), { code: ERRORS.ERR_SIGNATURE_VERIFICATION }))
     }
diff --git a/test/index.spec.js b/test/index.spec.js
index 761df81..aded798 100644
--- a/test/index.spec.js
+++ b/test/index.spec.js
@@ -16,6 +16,7 @@ const crypto = require('libp2p-crypto')
 const { fromB58String } = require('multihashes')
 
 const ipns = require('../src')
+const ERRORS = require('../src/errors')
 
 const df = DaemonFactory.create({ type: 'proc', exec: ipfs })
 
@@ -88,7 +89,7 @@ describe('ipns', function () {
     ipns.create(rsa, cid, sequence, validity, (err, entry) => {
       expect(err).to.not.exist()
 
-      ipns.validate(rsa.public, entry, (err, res) => {
+      ipns.validate(rsa.public, entry, (err) => {
         expect(err).to.not.exist()
 
         done()
@@ -96,6 +97,27 @@ describe('ipns', function () {
     })
   })
 
+  it('should fail to validate a bad record', (done) => {
+    const sequence = 0
+    const validity = 1000000
+
+    ipns.create(rsa, cid, sequence, validity, (err, entry) => {
+      expect(err).to.not.exist()
+
+      // corrupt the record by changing the value to random bytes
+      entry.value = crypto.randomBytes(46).toString()
+
+      ipns.validate(rsa.public, entry, (err) => {
+        expect(err).to.exist()
+        expect(err).to.include({
+          code: ERRORS.ERR_SIGNATURE_VERIFICATION
+        })
+
+        done()
+      })
+    })
+  })
+
   it('should create an ipns record with a validity of 1 nanosecond correctly and it should not be valid 1ms later', (done) => {
     const sequence = 0
     const validity = 0.00001