From 10bf1f76a37b7642de070977c7c2fe4768f7c656 Mon Sep 17 00:00:00 2001
From: Ben Wiggins <Ben.Wiggins@oohmedia.com.au>
Date: Wed, 15 Aug 2018 20:53:30 +1000
Subject: [PATCH 1/4] Fix security vuln

---
 index.js        | 9 +++++----
 test/builder.js | 2 +-
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/index.js b/index.js
index c44df8c..18cf607 100644
--- a/index.js
+++ b/index.js
@@ -39,8 +39,9 @@ function nowEpochSeconds(){
   return Math.floor(new Date().getTime()/1000);
 }
 
-function base64urlEncode(str) {
-  return new Buffer(str)
+function base64urlEncode(data) {
+  const str = typeof data === 'number' ? data.toString() : data
+  return Buffer.from(str)
     .toString('base64')
     .replace(/\+/g, '-')
     .replace(/\//g, '_')
@@ -277,7 +278,7 @@ Parser.prototype.isSupportedAlg = isSupportedAlg;
 Parser.prototype.safeJsonParse = function(input) {
   var result;
   try{
-    result = JSON.parse(new Buffer(base64urlUnescape(input),'base64'));
+    result = JSON.parse(Buffer.from(base64urlUnescape(input),'base64'));
   }catch(e){
     return e;
   }
@@ -297,7 +298,7 @@ Parser.prototype.parse = function parse(jwtString,cb){
   var body = this.safeJsonParse(segments[1]);
 
   if(segments[2]){
-    signature = new Buffer(base64urlUnescape(segments[2]),'base64')
+    signature = Buffer.from(base64urlUnescape(segments[2]),'base64')
       .toString('base64');
   }
 
diff --git a/test/builder.js b/test/builder.js
index c1a20d2..a0a33b2 100644
--- a/test/builder.js
+++ b/test/builder.js
@@ -101,7 +101,7 @@ describe('base64 URL Encoding',function(){
     assert.equal(
       nJwt.Jwt.prototype.sign(
         [compactHeader,compactBody].join('.'),
-        'HS256',new Buffer(key,'base64')
+        'HS256',Buffer.from(key,'base64')
       ),
       expectedSignature
     );

From b7cee22a4caf8e538d70b44e513ef1e44a0b4e00 Mon Sep 17 00:00:00 2001
From: Ben Wiggins <Ben.Wiggins@oohmedia.com.au>
Date: Wed, 15 Aug 2018 21:03:02 +1000
Subject: [PATCH 2/4] Forgot a semicolon :)

---
 index.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/index.js b/index.js
index 18cf607..4de537b 100644
--- a/index.js
+++ b/index.js
@@ -40,7 +40,7 @@ function nowEpochSeconds(){
 }
 
 function base64urlEncode(data) {
-  const str = typeof data === 'number' ? data.toString() : data
+  const str = typeof data === 'number' ? data.toString() : data;
   return Buffer.from(str)
     .toString('base64')
     .replace(/\+/g, '-')

From fb21fe97842061e5aa3a332caa1a1723e6193384 Mon Sep 17 00:00:00 2001
From: Brett Ritter <45160689+brettritter-okta@users.noreply.github.com>
Date: Fri, 22 Feb 2019 08:48:00 -0800
Subject: [PATCH 3/4] Added test for Buffer fix

---
 test/builder.js | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/test/builder.js b/test/builder.js
index a0a33b2..45310d8 100644
--- a/test/builder.js
+++ b/test/builder.js
@@ -107,6 +107,12 @@ describe('base64 URL Encoding',function(){
     );
 
   });
+
+  it('does not create an uninitialized Buffer', function() { 
+    var fromDigits = nJwt.base64urlEncode(10);
+    var fromString = nJwt.base64urlEncode('10');
+    assert.equal(fromDigits, fromString);
+  });
 });
 
 

From 610e825dc486fa88cd378d9104399a5d1822be9b Mon Sep 17 00:00:00 2001
From: Brett Ritter <45160689+brettritter-okta@users.noreply.github.com>
Date: Fri, 22 Feb 2019 08:52:48 -0800
Subject: [PATCH 4/4] Adds link to notes about error

---
 test/builder.js | 1 +
 1 file changed, 1 insertion(+)

diff --git a/test/builder.js b/test/builder.js
index 45310d8..424109a 100644
--- a/test/builder.js
+++ b/test/builder.js
@@ -109,6 +109,7 @@ describe('base64 URL Encoding',function(){
   });
 
   it('does not create an uninitialized Buffer', function() { 
+  // see https://nodejs.org/api/buffer.html#buffer_buffer_from_buffer_alloc_and_buffer_allocunsafe
     var fromDigits = nJwt.base64urlEncode(10);
     var fromString = nJwt.base64urlEncode('10');
     assert.equal(fromDigits, fromString);