Skip to content

Commit

Permalink
Fix security vulnerability
Browse files Browse the repository at this point in the history
Fixes a security vulnerability where a jwt token could potentially be validated having invalid string characters.

(cherry picked from commit a211650c6ae1cff6d7347d3e24070d65dcfb1122)
form3tech-oss/jwt-go#14

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
  • Loading branch information
giorgos-f3 authored and thaJeztah committed Jul 29, 2021
1 parent 860640e commit 3479ee4
Show file tree
Hide file tree
Showing 2 changed files with 59 additions and 13 deletions.
38 changes: 25 additions & 13 deletions map_claims.go
Original file line number Diff line number Diff line change
Expand Up @@ -34,30 +34,38 @@ func (m MapClaims) VerifyAudience(cmp string, req bool) bool {
// Compares the exp claim against cmp.
// If required is false, this method will return true if the value matches or is unset
func (m MapClaims) VerifyExpiresAt(cmp int64, req bool) bool {
switch exp := m["exp"].(type) {
exp, ok := m["exp"]
if !ok {
return !req
}
switch expType := exp.(type) {
case float64:
return verifyExp(int64(exp), cmp, req)
return verifyExp(int64(expType), cmp, req)
case json.Number:
v, _ := exp.Int64()
v, _ := expType.Int64()
return verifyExp(v, cmp, req)
}
return !req
return false
}

// Compares the iat claim against cmp.
// If required is false, this method will return true if the value matches or is unset
func (m MapClaims) VerifyIssuedAt(cmp int64, req bool) bool {
switch iat := m["iat"].(type) {
iat, ok := m["iat"]
if !ok {
return !req
}
switch iatType := iat.(type) {
case float64:
return verifyIat(int64(iat), cmp, req)
return verifyIat(int64(iatType), cmp, req)
case json.Number:
v, _ := iat.Int64()
v, _ := iatType.Int64()
return verifyIat(v, cmp, req)
}
return !req
return false
}

// Compares the iss claim against cmp.
// Compares the iss claim against cmp.``
// If required is false, this method will return true if the value matches or is unset
func (m MapClaims) VerifyIssuer(cmp string, req bool) bool {
iss, _ := m["iss"].(string)
Expand All @@ -67,14 +75,18 @@ func (m MapClaims) VerifyIssuer(cmp string, req bool) bool {
// Compares the nbf claim against cmp.
// If required is false, this method will return true if the value matches or is unset
func (m MapClaims) VerifyNotBefore(cmp int64, req bool) bool {
switch nbf := m["nbf"].(type) {
nbf, ok := m["nbf"]
if !ok {
return !req
}
switch nbfType := nbf.(type) {
case float64:
return verifyNbf(int64(nbf), cmp, req)
return verifyNbf(int64(nbfType), cmp, req)
case json.Number:
v, _ := nbf.Int64()
v, _ := nbfType.Int64()
return verifyNbf(v, cmp, req)
}
return !req
return false
}

// Validates time based claims "exp, iat, nbf".
Expand Down
34 changes: 34 additions & 0 deletions map_claims_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -66,3 +66,37 @@ func TestVerifyAud(t *testing.T) {
})
}
}

func Test_mapclaims_verify_issued_at_invalid_type_string(t *testing.T) {
mapClaims := MapClaims{
"iat": "foo",
}
want := false
got := mapClaims.VerifyIssuedAt(0, false)
if want != got {
t.Fatalf("Failed to verify claims, wanted: %v got %v", want, got)
}
}

func Test_mapclaims_verify_not_before_invalid_type_string(t *testing.T) {
mapClaims := MapClaims{
"nbf": "foo",
}
want := false
got := mapClaims.VerifyNotBefore(0, false)
if want != got {
t.Fatalf("Failed to verify claims, wanted: %v got %v", want, got)
}
}

func Test_mapclaims_verify_expires_at_invalid_type_string(t *testing.T) {
mapClaims := MapClaims{
"exp": "foo",
}
want := false
got := mapClaims.VerifyExpiresAt(0, false)

if want != got {
t.Fatalf("Failed to verify claims, wanted: %v got %v", want, got)
}
}

0 comments on commit 3479ee4

Please sign in to comment.