fix: Compact JWS verification handles a zero-length payload string

panva · Nov 12, 2021 · 7c70e7b · 7c70e7b
1 parent d927d4e
commit 7c70e7b
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 6 deletions.
diff --git a/src/jws/compact/verify.ts b/src/jws/compact/verify.ts
@@ -72,11 +72,7 @@ export async function compactVerify(
   }
 
   const verified = await flattenedVerify(
-    {
-      payload: <string>(payload || undefined),
-      protected: protectedHeader || undefined,
-      signature: <string>(signature || undefined),
-    },
+    { payload, protected: protectedHeader, signature },
     <Parameters<typeof flattenedVerify>[1]>key,
     options,
   )

diff --git a/test/jws/compact.verify.test.mjs b/test/jws/compact.verify.test.mjs
@@ -1,9 +1,25 @@
 import test from 'ava'
+import * as crypto from 'crypto'
 
 const root = !('WEBCRYPTO' in process.env) ? '#dist' : '#dist/webcrypto'
-const { compactVerify } = await import(root)
+const { compactVerify, CompactSign } = await import(root)
+
+test.before(async (t) => {
+  t.context.secret = crypto.randomFillSync(new Uint8Array(32))
+})
 
 test('JWS format validation', async (t) => {
+  {
+    await t.notThrowsAsync(async () => {
+      await compactVerify(
+        await new CompactSign(new Uint8Array())
+          .setProtectedHeader({ alg: 'HS256' })
+          .sign(t.context.secret),
+        t.context.secret,
+      )
+    })
+  }
+
   await t.throwsAsync(compactVerify(null, new Uint8Array(0)), {
     message: 'Compact JWS must be a string or Uint8Array',
     code: 'ERR_JWS_INVALID',

diff --git a/test/jws/flattened.verify.test.mjs b/test/jws/flattened.verify.test.mjs
@@ -34,6 +34,17 @@ test('JWS format validation', async (t) => {
     })
   }
 
+  {
+    await t.notThrowsAsync(async () => {
+      await flattenedVerify(
+        await new FlattenedSign(new Uint8Array())
+          .setProtectedHeader({ alg: 'HS256' })
+          .sign(t.context.secret),
+        t.context.secret,
+      )
+    })
+  }
+
   {
     const jws = { ...fullJws }
     delete jws.signature

diff --git a/test/jws/general.test.mjs b/test/jws/general.test.mjs
@@ -81,6 +81,18 @@ test('General JWS verify format validation', async (t) => {
 
   const generalJws = await sig.sign()
 
+  {
+    await t.notThrowsAsync(async () => {
+      await generalVerify(
+        await new GeneralSign(new Uint8Array())
+          .addSignature(t.context.secret)
+          .setProtectedHeader({ alg: 'HS256' })
+          .sign(),
+        t.context.secret,
+      )
+    })
+  }
+
   {
     await t.throwsAsync(generalVerify(null, t.context.secret), {
       message: 'General JWS must be an object',