Originally brought up in #40 by @ahmedcharles.
To summarize things:
Because of how SOPS calculates the additional data based on : joined paths, it is possible to manipulate to.to = "encrypted secret" to to:to without it being caught during decryption.
One possible solution to this would be to add a new metadata field (called stronger_path_mac for example) which is calculated based on the length and value of each key string. Allowing files to remain backwards compatible with SOPS.
Originally brought up in #40 by @ahmedcharles.
To summarize things:
Because of how SOPS calculates the additional data based on
:joined paths, it is possible to manipulateto.to= "encrypted secret" toto:towithout it being caught during decryption.One possible solution to this would be to add a new metadata field (called
stronger_path_macfor example) which is calculated based on the length and value of each key string. Allowing files to remain backwards compatible with SOPS.