fix: ensure JWT payload is a dict before accessing its methods

googleapis · Oct 24, 2022 · 45aec15 · 45aec15
1 parent 7b5b91a
commit 45aec15
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 2 deletions.
diff --git a/google/auth/jwt.py b/google/auth/jwt.py
@@ -133,7 +133,7 @@ def _unverified_decode(token):
         token (Union[str, bytes]): The encoded JWT.
 
     Returns:
-        Tuple[Mapping, str, str, str]: header, payload, signed_section, and
+        Tuple[Mapping, Mapping, str, str]: header, payload, signed_section, and
             signature.
 
     Raises:
@@ -154,7 +154,14 @@ def _unverified_decode(token):
     payload = _decode_jwt_segment(encoded_payload)
 
     if not isinstance(header, Mapping):
-        raise ValueError("Header segment should be a JSON object: {0}".format(encoded_header))
+        raise ValueError(
+            "Header segment should be a JSON object: {0}".format(encoded_header)
+        )
+
+    if not isinstance(payload, Mapping):
+        raise ValueError(
+            "Payload segment should be a JSON object: {0}".format(encoded_payload)
+        )
 
     return header, payload, signed_section, signature
 

diff --git a/tests/test_jwt.py b/tests/test_jwt.py
@@ -137,6 +137,16 @@ def test_decode_header_object(token_factory):
     assert excinfo.match(r"Header segment should be a JSON object: b'M7'")
 
 
+def test_decode_payload_object(signer):
+    # Create a malformed JWT token with a payload containing both "iat" and
+    # "exp" strings, although not as fields of a dictionary
+    payload = jwt.encode(signer, "iatexp")
+
+    with pytest.raises(ValueError) as excinfo:
+        jwt.decode(payload, certs=PUBLIC_CERT_BYTES)
+    assert excinfo.match(r"Payload segment should be a JSON object: b'ImlhdGV4cCI'")
+
+
 def test_decode_valid_es256(token_factory):
     payload = jwt.decode(
         token_factory(use_es256_signer=True), certs=EC_PUBLIC_CERT_BYTES