Canto Identity Subprotocols contest - bin2chen's results

Lines of code

https://github.com/code-423n4/2023-03-canto-identity/blob/077372297fc419ea7688ab62cc3fd4e8f4e24e66/canto-bio-protocol/src/Bio.sol#L108-L109

Vulnerability details

Impact

tokenURI () does not escape special characters, which may lead to illegal json format, resulting in the front-end can not be parsed

Proof of Concept

In Bio.sol,user can set the bio string, and then return the json format in tokenURI() for the front-end to use The tokenURI() code is as follows:

    function tokenURI(uint256 _id) public view override returns (string memory) {
...
        string memory bioText = bio[_id];
...
        string memory json = Base64.encode(
            bytes(
                string.concat(
                    '{"name": "Bio #',
                    LibString.toString(_id),
                    '", "description": "',
                    bioText,//<--------------No escape special characters such as:", directly concat
                    '", "image": "data:image/svg+xml;base64,',
                    Base64.encode(bytes(string.concat(svg, text, "</text></svg>"))),
                    '"}'
                )
            )
        );
        return string(abi.encodePacked("data:application/json;base64,", json));            

The above code has a problem, when concat json, bioText does not escape special characters such as:", which may lead to illegal formatting of json

The following is an example. Suppose alice is set to bio: alice"123 so tokenURI() will get json:{"name": "Bio #1", "description": "alice "123", "image": "data:image/svg+xml;base64,"}

The front-end will report an error when parsing:

# -*- coding: utf-8 -*-
import json


json_str = '{"name": "Bio #1","description": "alice"123","image": "data:image/svg+xml;base64,"}'

py_dict = json.loads(json_str)

print(py_dict)

$ python test.py
Traceback (most recent call last):
  File "test.py", line 7, in <module>
    py_dict = json.loads(json_str)
  File " .pyenv/versions/2.7.18/lib/python2.7/json/__init__.py", line 339, in loads
    return _default_decoder.decode(s)
  File " .pyenv/versions/2.7.18/lib/python2.7/json/decoder.py", line 364, in decode
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())
  File " .pyenv/versions/2.7.18/lib/python2.7/json/decoder.py", line 380, in raw_decode
    obj, end = self.scan_once(s, idx)
ValueError: Expecting , delimiter: line 1 column 41 (char 40)

so need to escape special characters, otherwise the front-end cannot be parsed properly , suggest use solady/utils/LibString.sol#escapeJSON(bioText)

Note:svg recommended to LibString.escapeHTML(strLines[i]) for strLines[i] as well

Tools Used

Recommended Mitigation Steps

+ import {LibString as LibString2} from "solady/utils/LibString.sol";

contract BioTest is Test {

    function tokenURI(uint256 _id) public view override returns (string memory) {
..
        string memory json = Base64.encode(
            bytes(
                string.concat(
                    '{"name": "Bio #',
                    LibString.toString(_id),
                    '", "description": "',
-                   bioText,                    
+                   LibString2.escapeJSON(bioText),
                    '", "image": "data:image/svg+xml;base64,',
                    Base64.encode(bytes(string.concat(svg, text, "</text></svg>"))),
                    '"}'
                )
            )
        );
        return string(abi.encodePacked("data:application/json;base64,", json));
    }