Added a type check on the token kid

jwt · Jan 31, 2023 · 00a2e31 · 00a2e31
1 parent bc80470
commit 00a2e31
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 0 deletions.
diff --git a/lib/jwt/jwk/key_finder.rb b/lib/jwt/jwk/key_finder.rb
@@ -16,6 +16,7 @@ def initialize(options)
 
       def key_for(kid)
         raise ::JWT::DecodeError, 'No key id (kid) found from token headers' unless kid || @allow_nil_kid
+        raise ::JWT::DecodeError, 'Invalid type for kid header parameter' unless kid.nil? || kid.is_a?(String)
 
         jwk = resolve_key(kid)
 

diff --git a/spec/jwk/decode_with_jwk_spec.rb b/spec/jwk/decode_with_jwk_spec.rb
@@ -90,6 +90,15 @@
       end
     end
 
+    context 'when the token kid is not a string' do
+      let(:token_headers) { { kid: 5 } }
+      it 'raises an exception' do
+        expect { described_class.decode(signed_token, nil, true, { algorithms: ['RS512'], jwks: public_jwks }) }.to raise_error(
+          JWT::DecodeError, 'Invalid type for kid header parameter'
+        )
+      end
+    end
+
     context 'mixing algorithms using kid header' do
       let(:hmac_jwk)           { JWT::JWK.new('secret') }
       let(:rsa_jwk)            { JWT::JWK.new(OpenSSL::PKey::RSA.new(2048)) }