Fix sec vuln with list of claims #426
Fix sec vuln with list of claims #426
Conversation
964bece
to
63de7be
Compare
…codeowners-1600076031644796752 [skip ci] Adding CODEOWNERS file
Signed-off-by: Alistair Hey <alistair.hey@form3.tech>
Signed-off-by: Alistair Hey <alistair.hey@form3.tech>
Signed-off-by: Alistair Hey <alistair.hey@form3.tech>
Signed-off-by: Alistair Hey <alistair.hey@form3.tech>
f8fbdb3
to
4ea2e3f
Compare
| @@ -2,7 +2,7 @@ package jwt_test | |||
|
|
|||
| import ( | |||
| "fmt" | |||
| "github.com/dgrijalva/jwt-go" | |||
| "github.com/form3tech-oss/jwt-go" | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why are this changes needed in example_test.go?
Functions should be named as Example - to have examples in godoc.
Also some external jwt-go is imported
| if !ok { | ||
| strAud, ok := m["aud"].(string) | ||
| aud = append(aud, strAud) | ||
| if !ok { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: if should be before aud = append(aud, strAud)
|
oh sorry - we decided to fork and fix in our company org and I left this PR open |
|
but why closing it? :) I would be great to have vulnerability fix merged into upstream |
|
@Waterdrips Echoing @sev3ryn's comment - it would be ideal to have this fix live in the latest version. This is now categorised as a high severity vulnerability https://snyk.io/vuln/golang:github.com%2Fdgrijalva%2Fjwt-go and means we can no longer use the library in an enterprise environment |
theres an open PR addressing this from Match #385 which has not been addressed. We have taken the decision to fix this on our oss fork rather than wait for some activity here. |
|
@dgrijalva if you have time to merge a fix like this, then we can all dump our forks to /dev/null. What are your thoughts? |
|
Are we going to fix and bump the new version of the library? |
|
See #286 |
This PR adds a fix for #422
Tests were added for failing and passing states then the code was updated for the case in the JWT Spec that allows a list of "aud" as well as a single string "aud"
Signed-off-by: Alistair Hey alistair@heyal.co.uk