Skip to content

Commit

Permalink
chore: upgrade to golang-jwt 3.2.1 to fix CVE-2020-26160 (#21925)
Browse files Browse the repository at this point in the history
CVE-2020-26160[0] is an access restriction bypass under certain
circumstances when validating audience checks. The original
dgrijalva/jwt-go project is no longer maintained[1] and will not be
issuing a fix for this CVE[2]. Instead, they have transferred ownership
to golang-jwt/jwt[2][3][4].

The following was performed:

1. update chronograf and jsonweb to import golang-jwt/jwt
2. go mod edit -require github.com/golang-jwt/jwt@v3.2.1+incompatible
3. go mod edit -droprequire github.com/dgrijalva/jwt-go
4. go mod tidy
5. make
6. make test

References:
[0] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26160
[1] dgrijalva/jwt-go#462
[2] dgrijalva/jwt-go#463
[3] https://github.com/dgrijalva/jwt-go/blob/master/README.md
[4] https://github.com/golang-jwt/jwt
  • Loading branch information
jdstrand authored Jul 23, 2021
1 parent 8dc74f1 commit bf5965d
Show file tree
Hide file tree
Showing 7 changed files with 8 additions and 5 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,7 @@ This release adds an embedded SQLite database for storing metadata required by t
1. [21849](https://github.com/influxdata/influxdb/pull/21849): Specify which fields are missing when rejecting an incomplete onboarding request.
1. [21839](https://github.com/influxdata/influxdb/pull/21839): Fix display and parsing of `influxd upgrade` CLI prompts in PowerShell.
1. [21850](https://github.com/influxdata/influxdb/pull/21850): Systemd unit should block on startup until http endpoint is ready
1. [21925](https://github.com/influxdata/influxdb/pull/21925): Upgrade to golang-jwt 3.2.1.

## v2.0.7 [2021-06-04]

Expand Down
2 changes: 1 addition & 1 deletion chronograf/influx/authorization.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ import (
"net/http"
"time"

jwt "github.com/dgrijalva/jwt-go"
jwt "github.com/golang-jwt/jwt"
"github.com/influxdata/influxdb/v2/chronograf"
)

Expand Down
2 changes: 1 addition & 1 deletion chronograf/influx/influx_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ import (
"testing"
"time"

gojwt "github.com/dgrijalva/jwt-go"
gojwt "github.com/golang-jwt/jwt"
"github.com/influxdata/influxdb/v2/chronograf"
"github.com/influxdata/influxdb/v2/chronograf/influx"
"github.com/influxdata/influxdb/v2/chronograf/mocks"
Expand Down
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,6 @@ require (
github.com/buger/jsonparser v0.0.0-20191004114745-ee4c978eae7e
github.com/cespare/xxhash v1.1.0
github.com/davecgh/go-spew v1.1.1
github.com/dgrijalva/jwt-go v3.2.0+incompatible
github.com/dgryski/go-bitstream v0.0.0-20180413035011-3522498ce2c8
github.com/docker/docker v1.13.1 // indirect
github.com/dustin/go-humanize v1.0.0
Expand All @@ -26,6 +25,7 @@ require (
github.com/go-chi/chi v4.1.0+incompatible
github.com/go-stack/stack v1.8.0
github.com/gogo/protobuf v1.3.2
github.com/golang-jwt/jwt v3.2.1+incompatible
github.com/golang/gddo v0.0.0-20181116215533-9bd4a3295021
github.com/golang/mock v1.5.0
github.com/golang/protobuf v1.3.3
Expand Down
2 changes: 2 additions & 0 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -212,6 +212,8 @@ github.com/gogo/protobuf v1.2.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7a
github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
github.com/golang-jwt/jwt v3.2.1+incompatible h1:73Z+4BJcrTC+KczS6WvTPvRGOp1WmfEP4Q1lOd9Z/+c=
github.com/golang-jwt/jwt v3.2.1+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe h1:lXe2qZdvpiX5WZkZR4hgp4KJVfY3nMkvmwbVkpv1rVY=
github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0=
github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0/go.mod h1:E/TSTwGwJL78qG/PmXZO1EjYhfJinVAhrmmHX6Z8B9k=
Expand Down
2 changes: 1 addition & 1 deletion jsonweb/token.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ import (

"github.com/influxdata/influxdb/v2/kit/platform"

"github.com/dgrijalva/jwt-go"
"github.com/golang-jwt/jwt"
"github.com/influxdata/influxdb/v2"
)

Expand Down
2 changes: 1 addition & 1 deletion jsonweb/token_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ import (

"github.com/influxdata/influxdb/v2/kit/platform"

"github.com/dgrijalva/jwt-go"
"github.com/golang-jwt/jwt"
"github.com/google/go-cmp/cmp"
"github.com/influxdata/influxdb/v2"
)
Expand Down

0 comments on commit bf5965d

Please sign in to comment.