Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: ensure JWT segments have the right types #1162

Merged
merged 3 commits into from Nov 15, 2022
Merged

fix: ensure JWT segments have the right types #1162

merged 3 commits into from Nov 15, 2022
+36 −2

Conversation

ret2libc
Copy link
Contributor

@ret2libc ret2libc commented Oct 12, 2022
edited

Function _unverified_decode assumes header is a dict and performs a .get("alg") after decoding the JWT token, however the header may be a different object which does not have the get method. Similar problem for the payload segment, which is accessed as a dictionary but there is no check for it.

This PR fixes the problem by checking the type of header/payload in the _unverified_decode function.

@google-cla
Copy link

google-cla bot commented Oct 12, 2022

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@ret2libc ret2libc changed the title fix: ensure JWT header is a dict before accessing its methods fix: ensure JWT segments have the right types Oct 12, 2022
@clundin25
Copy link
Contributor

Minor comments, otherwise LGTM.

Thank you for your contribution!

sai-sunder-s
sai-sunder-s reviewed Oct 18, 2022
View reviewed changes
google/auth/jwt.py Outdated Show resolved Hide resolved
@clundin25
Copy link
Contributor

Hi @ret2libc,

In order for the tests to pass can you merge clundin25@17cc33f? Alternatively, I can push it to your branch if you give me write permissions to your fork.

Thanks!

@ret2libc
Copy link
Contributor Author

Hi @ret2libc,

In order for the tests to pass can you merge clundin25@17cc33f? Alternatively, I can push it to your branch if you give me write permissions to your fork.

Thanks!

Done!

@clundin25 clundin25 added kokoro:force-run Add this label to force Kokoro to re-run the tests. kokoro:run Add this label to force Kokoro to re-run the tests. owlbot:run Add this label to trigger the Owlbot post processor. labels Oct 26, 2022
@gcf-owl-bot gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Oct 26, 2022
@yoshi-kokoro yoshi-kokoro removed kokoro:run Add this label to force Kokoro to re-run the tests. kokoro:force-run Add this label to force Kokoro to re-run the tests. labels Oct 26, 2022
clundin25
clundin25 reviewed Oct 26, 2022
View reviewed changes
tests/test_jwt.py Outdated Show resolved Hide resolved
@ret2libc ret2libc force-pushed the check-jwt-header-type branch 2 times, most recently from cd0bfbf to 248a3fc Compare October 31, 2022 08:57
@clundin25
Copy link
Contributor

Hi @ret2libc,

Sorry for the delay, I was OOTO. Can you sync your branch? Sorry for the toil.

@ret2libc
Copy link
Contributor Author

ret2libc commented Nov 8, 2022

@clundin25 done!

@clundin25 clundin25 added the owlbot:run Add this label to trigger the Owlbot post processor. label Nov 8, 2022
@yoshi-kokoro yoshi-kokoro removed kokoro:run Add this label to force Kokoro to re-run the tests. kokoro:force-run Add this label to force Kokoro to re-run the tests. labels Nov 14, 2022
@clundin25
Copy link
Contributor

No need to apologize @ret2libc, we appreciate your contribution and I apologize for the system test churn.

Here is a fresh token. b691524

@ret2libc
Copy link
Contributor Author

I have used your new commit. Also, I don't see any test failure locally. Let's see the CI :)

@clundin25 clundin25 added kokoro:force-run Add this label to force Kokoro to re-run the tests. kokoro:run Add this label to force Kokoro to re-run the tests. labels Nov 14, 2022
@yoshi-kokoro yoshi-kokoro removed kokoro:run Add this label to force Kokoro to re-run the tests. kokoro:force-run Add this label to force Kokoro to re-run the tests. labels Nov 14, 2022
@ret2libc
Copy link
Contributor Author

Oh, I see. It's python2. Will have a fix by EOD.

@clundin25 clundin25 added kokoro:force-run Add this label to force Kokoro to re-run the tests. kokoro:run Add this label to force Kokoro to re-run the tests. labels Nov 14, 2022
@yoshi-kokoro yoshi-kokoro removed kokoro:run Add this label to force Kokoro to re-run the tests. kokoro:force-run Add this label to force Kokoro to re-run the tests. labels Nov 14, 2022
@ret2libc
Copy link
Contributor Author

@clundin25 do you have any idea what's going on now?

@clundin25
Copy link
Contributor

Sorry for the delay. @ret2libc looks like the formatter choked.

This patch should resolve it.

clundin25@bc02d36

@clundin25 clundin25 added kokoro:force-run Add this label to force Kokoro to re-run the tests. kokoro:run Add this label to force Kokoro to re-run the tests. labels Nov 15, 2022
@yoshi-kokoro yoshi-kokoro removed kokoro:run Add this label to force Kokoro to re-run the tests. kokoro:force-run Add this label to force Kokoro to re-run the tests. labels Nov 15, 2022
@clundin25 clundin25 added the owlbot:run Add this label to trigger the Owlbot post processor. label Nov 15, 2022
@gcf-owl-bot gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Nov 15, 2022
@clundin25 clundin25 merged commit fc843cd into googleapis:main Nov 15, 2022
@clundin25
Copy link
Contributor

Thanks again for your contribution!

@release-please release-please bot mentioned this pull request Nov 15, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sai-sunder-s sai-sunder-s sai-sunder-s left review comments

@clundin25 clundin25 clundin25 approved these changes

@arithmetic1728 arithmetic1728 Awaiting requested review from arithmetic1728

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@ret2libc @clundin25 @sai-sunder-s @yoshi-kokoro