/
jwt.rb
29 lines (24 loc) · 1021 Bytes
/
jwt.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
# Minimal JWT wrapper which only decodes the base64 header/claim values,
# and doesn't encode/validate JWT tokens.
#
# Note that swapping this out for a third-party gem will work, but
# there may be potential security issues with the key id (kid) claim etc,
# which would need to be reviewed.
class Msf::Exploit::Remote::HTTP::JWT
attr_reader :payload, :header, :signature
def initialize(payload:, header:, signature:)
@payload = payload
@header = header
@signature = signature
end
def self.encode(payload, key, algorithm = 'HS256', header_fields = {})
raise NotImplementedError
end
def self.decode(jwt, _key = nil, _verify = true, _options = {})
header, payload, signature = jwt.split('.', 3)
raise ArgumentError, 'Invalid JWT format' if header.nil? || payload.nil? || signature.nil?
header = JSON.parse(Rex::Text.decode_base64(header))
payload = JSON.parse(Rex::Text.decode_base64(payload))
self.new(payload: payload, header: header, signature: signature)
end
end