fix: throw JWSInvalid when jws protected header is invalid (#244)

panva · Aug 16, 2021 · 1fc79aa · 1fc79aa
1 parent 35fc548
commit 1fc79aa
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 1 deletion.
diff --git a/src/jws/flattened/verify.ts b/src/jws/flattened/verify.ts
@@ -95,7 +95,11 @@ async function flattenedVerify(
   let parsedProt: JWSHeaderParameters = {}
   if (jws.protected) {
     const protectedHeader = base64url(jws.protected)
-    parsedProt = JSON.parse(decoder.decode(protectedHeader))
+    try {
+      parsedProt = JSON.parse(decoder.decode(protectedHeader))
+    } catch {
+      throw new JWSInvalid('JWS Protected Header is invalid')
+    }
   }
   if (!isDisjoint(parsedProt, jws.header)) {
     throw new JWSInvalid(

diff --git a/test/jws/flattened.verify.test.mjs b/test/jws/flattened.verify.test.mjs
@@ -72,6 +72,16 @@ Promise.all([
         await t.throwsAsync(flattenedVerify(jws, t.context.secret), assertion);
       }
 
+      {
+        const jws = { ...fullJws };
+        const assertion = {
+          message: 'JWS Protected Header is invalid',
+          code: 'ERR_JWS_INVALID',
+        };
+        jws.protected = `1${jws.protected}`;
+        await t.throwsAsync(flattenedVerify(jws, t.context.secret), assertion);
+      }
+
       {
         const jws = { ...fullJws };
         const assertion = {