fix(middleware/jwt): fix incorrect assumption in jwt impl #2775
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Hi @boehs Thanks for the PR. You are right. I think this will not be a "breaking change." It just changes the internal behavior in the JWT middleware, so we can ship it as a patch or minor release. One thing. Could you run the |
yeah the breaking assumption was before I tried to pentest it and found it wasn't working with undefined and discovered that by luck there was an exception. I'll denoify it now |
|
done |
yusukebe
changed the title
yusukebe
approved these changes
May 23, 2024
|
Thank you! I'll merge this now and will ship it. |
yusukebe
pushed a commit
that referenced
this pull request
May 24, 2024
* breaking change: fix incorrect assumption in jwt impl * denofiy
nicolewhite
referenced
this pull request
in autoblocksai/cli
May 29, 2024
[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [hono](https://hono.dev/) ([source](https://github.com/honojs/hono)) | [`4.3.8` -> `4.4.0`](https://renovatebot.com/diffs/npm/hono/4.3.8/4.4.0) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>honojs/hono (hono)</summary> ### [`v4.4.0`](https://github.com/honojs/hono/compare/v4.3.11...v4.4.0) [Compare Source](https://github.com/honojs/hono/compare/v4.3.11...v4.4.0) ### [`v4.3.11`](https://github.com/honojs/hono/releases/tag/v4.3.11) [Compare Source](https://github.com/honojs/hono/compare/v4.3.10...v4.3.11) #### What's Changed - fix(middleware/jwt): fix incorrect assumption in jwt impl by [@​boehs](https://github.com/boehs) in [https://github.com/honojs/hono/pull/2775](https://github.com/honojs/hono/pull/2775) #### New Contributors - [@​boehs](https://github.com/boehs) made their first contribution in [https://github.com/honojs/hono/pull/2775](https://github.com/honojs/hono/pull/2775) **Full Changelog**: honojs/hono@v4.3.10...v4.3.11 ### [`v4.3.10`](https://github.com/honojs/hono/releases/tag/v4.3.10) [Compare Source](https://github.com/honojs/hono/compare/v4.3.9...v4.3.10) #### What's Changed - fix(secure-header): Replace NodeJS Buffer API by [@​watany-dev](https://github.com/watany-dev) in [https://github.com/honojs/hono/pull/2761](https://github.com/honojs/hono/pull/2761) - fix(http-exception): prioritize the status code by [@​yusukebe](https://github.com/yusukebe) in [https://github.com/honojs/hono/pull/2767](https://github.com/honojs/hono/pull/2767) - feat(etag): export `RETAINED_304_HEADERS` by [@​yusukebe](https://github.com/yusukebe) in [https://github.com/honojs/hono/pull/2763](https://github.com/honojs/hono/pull/2763) **Full Changelog**: honojs/hono@v4.3.9...v4.3.10 ### [`v4.3.9`](https://github.com/honojs/hono/releases/tag/v4.3.9) [Compare Source](https://github.com/honojs/hono/compare/v4.3.8...v4.3.9) #### What's Changed - fix(factory): export `CreateHandlersInterface` by [@​yusukebe](https://github.com/yusukebe) in [https://github.com/honojs/hono/pull/2752](https://github.com/honojs/hono/pull/2752) - feat(aws-lambda): add support for alb multiValueQueryStringParameters by [@​yiss](https://github.com/yiss) in [https://github.com/honojs/hono/pull/2751](https://github.com/honojs/hono/pull/2751) **Full Changelog**: honojs/hono@v4.3.8...v4.3.9 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 4am on Monday" in timezone America/Chicago, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/autoblocksai/cli). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zNzcuOCIsInVwZGF0ZWRJblZlciI6IjM3LjM3Ny44IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
](https://renovatebot.com){kind=link}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The author should do the following, if applicable
Please see https://discord.com/channels/595317990191398933/1243024990652207115/1243024990652207115 (in the cloudflare discord)
THIS WILL BREAK PRODUCTION
In the docs it says
realalitically code in production will look more like
however, if this app.use is at the top level, in some instances in cloudflare process.env can be undefined. Nobody noticed this, because the code failed to check if it was actually defined.
edit: another solution would be to move this check inside the return callback, but this means that every API call it would run the getter on
process.envwhich would make it susceptible to runtime manipulation.Though actually if my theory that this is an issue is correct, in its current impl where the check is running before the callback is constructed, it is still vulnerable to runtime manipulation without reruning the check because it never does
let secret = options.secretso if you could modify the value of secret (eg if it is a reference to process.env.secret and you modify it elsewhere) but actually, I think I'm wrong because when you construct an object likelet obj = { secret: process.env.SECRET }, changing process.env wouldn't have an impact because when SECRET is accessed thats no longer a reference type, thats a copy.HOWEVER if you access
process.env.SECRETevery single request, like when I proposedit would hit the ref type every single request, so that would make it a vuln
bun denoifyto generate files for Denobun run format:fix && bun run lint:fixto format the code