Parent version is unverified

[carmiac]

In the Sealed/Unseal structs, the encryption only covers version_id. The parent version id only lives in the filename/object name/etc. Anyone with write access to the store (but not the encryption key) could rename v-parentA-versionB → v-parentC-versionB and the decryption would still succeed, silently rewriting the version chain.

This is a small risk, and more likely to be a result of a failed transaction (ask me how I discovered it), but the fix is easy enough. Adding a parent_id to the Sealed/Unsealed structs with a check either in cryptor, or more likely in each server implementation, could prevent this.

[djmitche]

Good find! This would definitely allow an attacker with control of the storage to remove versions from the version chain.

Fixing this will be a little bit tricky since it must maintain compatibility with existing implementations, at least for some transition period. That is, there are sealed versions out there without parent_id's, and there are Taskchampion implementations out there that don't expect a parent_id.

I think that rules out putting the parent ID in the AAD -- an old Taskchampion implementation would be unable to unseal the version. So it might be easiest to add it to the taskdb::Version struct, as long as old versions could successfully deserialize a JSON object containing this additional property without failing.