Switch to form3-tech/jwt-go.

The old library is abaondoned and has some severe CVEs in it. The form3-tech fork has fixed those CVEs and is the most popular fork. CVE is here: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515 Also switch the key size in the jwt_test to 512, this appears required for go 1.13 Signed-off-by: Dan Lorenc <dlorenc@google.com>
heketi · Jan 11, 2021 · c1ddb88 · c1ddb88
1 parent fb089ac
commit c1ddb88
Show file tree

Hide file tree

Showing 7 changed files with 15 additions and 13 deletions.
diff --git a/apps/glusterfs/app_middleware.go b/apps/glusterfs/app_middleware.go
@@ -13,7 +13,7 @@ import (
 	"net/http"
 	"strings"
 
-	jwt "github.com/dgrijalva/jwt-go"
+	jwt "github.com/form3tech-oss/jwt-go"
 	"github.com/urfave/negroni"
 
 	"github.com/heketi/heketi/middleware"

diff --git a/client/api/go-client/client.go b/client/api/go-client/client.go
@@ -25,7 +25,7 @@ import (
 	"strconv"
 	"time"
 
-	jwt "github.com/dgrijalva/jwt-go"
+	jwt "github.com/form3tech-oss/jwt-go"
 	"github.com/heketi/heketi/pkg/utils"
 )
 

diff --git a/docs/profiling.md b/docs/profiling.md
@@ -63,7 +63,7 @@ Showing top 10 nodes out of 93
     6.50MB  3.25% 77.23%     6.50MB  3.25%  context.WithValue
     6.50MB  3.25% 80.48%     6.50MB  3.25%  encoding/json.(*decodeState).literalStore
        6MB  3.00% 83.49%     6.50MB  3.25%  net/textproto.(*Reader).ReadLine
-    5.50MB  2.75% 86.24%    39.51MB 19.76%  github.com/heketi/heketi/vendor/github.com/dgrijalva/jwt-go.(*Parser).ParseWithClaims
+    5.50MB  2.75% 86.24%    39.51MB 19.76%  github.com/heketi/heketi/vendor/github.com/form3tech-oss/jwt-go.(*Parser).ParseWithClaims
 ```
 
 ```

diff --git a/glide.lock b/glide.lock
diff --git a/glide.yaml b/glide.yaml
@@ -1,10 +1,11 @@
 package: github.com/heketi/heketi
 import:
 - package: github.com/auth0/go-jwt-middleware
+  version: 36081240882bbf356af6efb152969e4b0bcf4456
 - package: github.com/boltdb/bolt
   version: ^1.3.0
-- package: github.com/dgrijalva/jwt-go
-  version: ^3.0.0
+- package: github.com/form3tech-oss/jwt-go
+  version: ^3.2.2
 - package: github.com/gorilla/context
 - package: github.com/gorilla/mux
 - package: github.com/heketi/rest

diff --git a/middleware/jwt.go b/middleware/jwt.go
@@ -22,7 +22,7 @@ import (
 	"time"
 
 	jwtmiddleware "github.com/auth0/go-jwt-middleware"
-	jwt "github.com/dgrijalva/jwt-go"
+	jwt "github.com/form3tech-oss/jwt-go"
 	"github.com/heketi/heketi/pkg/logging"
 )
 
@@ -42,7 +42,7 @@ func init() {
 	}
 }
 
-// From https://github.com/dgrijalva/jwt-go/pull/139 it is understood
+// From https://github.com/form3tech-oss/jwt-go/pull/139 it is understood
 // that if the machine where jwt token is generated and/or the machine
 // where jwt token is verified have any clock skew then there is a
 // possibility of getting a "Token used before issued" error.

diff --git a/middleware/jwt_test.go b/middleware/jwt_test.go
@@ -24,7 +24,7 @@ import (
 	"testing"
 	"time"
 
-	jwt "github.com/dgrijalva/jwt-go"
+	jwt "github.com/form3tech-oss/jwt-go"
 	"github.com/heketi/heketi/pkg/utils"
 	"github.com/heketi/tests"
 	"github.com/urfave/negroni"
@@ -981,7 +981,7 @@ func TestJwtWrongSigningMethod(t *testing.T) {
 	// Setup pre-req bits needed to make our PS256 valid.
 	// Should we use a fake source of randomness instead of real
 	// rand.Reader here?
-	pk, err := rsa.GenerateKey(rand.Reader, 256*2)
+	pk, err := rsa.GenerateKey(rand.Reader, 512*2)
 	tests.Assert(t, err == nil, "rsa.GenerateKey failed:", err)
 	tokenString, err := token.SignedString(pk)
 	tests.Assert(t, err == nil, "token.SignedString failed:", err)