From bf5965d22b830f135958196faf48b69f076313ff Mon Sep 17 00:00:00 2001 From: Jamie Strandboge Date: Fri, 23 Jul 2021 15:19:11 -0500 Subject: [PATCH] chore: upgrade to golang-jwt 3.2.1 to fix CVE-2020-26160 (#21925) CVE-2020-26160[0] is an access restriction bypass under certain circumstances when validating audience checks. The original dgrijalva/jwt-go project is no longer maintained[1] and will not be issuing a fix for this CVE[2]. Instead, they have transferred ownership to golang-jwt/jwt[2][3][4]. The following was performed: 1. update chronograf and jsonweb to import golang-jwt/jwt 2. go mod edit -require github.com/golang-jwt/jwt@v3.2.1+incompatible 3. go mod edit -droprequire github.com/dgrijalva/jwt-go 4. go mod tidy 5. make 6. make test References: [0] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26160 [1] dgrijalva/jwt-go#462 [2] dgrijalva/jwt-go#463 [3] https://github.com/dgrijalva/jwt-go/blob/master/README.md [4] https://github.com/golang-jwt/jwt --- CHANGELOG.md | 1 + chronograf/influx/authorization.go | 2 +- chronograf/influx/influx_test.go | 2 +- go.mod | 2 +- go.sum | 2 ++ jsonweb/token.go | 2 +- jsonweb/token_test.go | 2 +- 7 files changed, 8 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b39b9bf153e..1243ff33208 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -65,6 +65,7 @@ This release adds an embedded SQLite database for storing metadata required by t 1. [21849](https://github.com/influxdata/influxdb/pull/21849): Specify which fields are missing when rejecting an incomplete onboarding request. 1. [21839](https://github.com/influxdata/influxdb/pull/21839): Fix display and parsing of `influxd upgrade` CLI prompts in PowerShell. 1. [21850](https://github.com/influxdata/influxdb/pull/21850): Systemd unit should block on startup until http endpoint is ready +1. [21925](https://github.com/influxdata/influxdb/pull/21925): Upgrade to golang-jwt 3.2.1. ## v2.0.7 [2021-06-04] diff --git a/chronograf/influx/authorization.go b/chronograf/influx/authorization.go index 7c0d2f6c193..95f26c2f753 100644 --- a/chronograf/influx/authorization.go +++ b/chronograf/influx/authorization.go @@ -5,7 +5,7 @@ import ( "net/http" "time" - jwt "github.com/dgrijalva/jwt-go" + jwt "github.com/golang-jwt/jwt" "github.com/influxdata/influxdb/v2/chronograf" ) diff --git a/chronograf/influx/influx_test.go b/chronograf/influx/influx_test.go index 3f9ec3ea7c8..0c70870bb40 100644 --- a/chronograf/influx/influx_test.go +++ b/chronograf/influx/influx_test.go @@ -10,7 +10,7 @@ import ( "testing" "time" - gojwt "github.com/dgrijalva/jwt-go" + gojwt "github.com/golang-jwt/jwt" "github.com/influxdata/influxdb/v2/chronograf" "github.com/influxdata/influxdb/v2/chronograf/influx" "github.com/influxdata/influxdb/v2/chronograf/mocks" diff --git a/go.mod b/go.mod index 677da74a641..4b089fa7a33 100644 --- a/go.mod +++ b/go.mod @@ -15,7 +15,6 @@ require ( github.com/buger/jsonparser v0.0.0-20191004114745-ee4c978eae7e github.com/cespare/xxhash v1.1.0 github.com/davecgh/go-spew v1.1.1 - github.com/dgrijalva/jwt-go v3.2.0+incompatible github.com/dgryski/go-bitstream v0.0.0-20180413035011-3522498ce2c8 github.com/docker/docker v1.13.1 // indirect github.com/dustin/go-humanize v1.0.0 @@ -26,6 +25,7 @@ require ( github.com/go-chi/chi v4.1.0+incompatible github.com/go-stack/stack v1.8.0 github.com/gogo/protobuf v1.3.2 + github.com/golang-jwt/jwt v3.2.1+incompatible github.com/golang/gddo v0.0.0-20181116215533-9bd4a3295021 github.com/golang/mock v1.5.0 github.com/golang/protobuf v1.3.3 diff --git a/go.sum b/go.sum index dd3d301ff15..fd86ef5d123 100644 --- a/go.sum +++ b/go.sum @@ -212,6 +212,8 @@ github.com/gogo/protobuf v1.2.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7a github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +github.com/golang-jwt/jwt v3.2.1+incompatible h1:73Z+4BJcrTC+KczS6WvTPvRGOp1WmfEP4Q1lOd9Z/+c= +github.com/golang-jwt/jwt v3.2.1+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I= github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe h1:lXe2qZdvpiX5WZkZR4hgp4KJVfY3nMkvmwbVkpv1rVY= github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0= github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0/go.mod h1:E/TSTwGwJL78qG/PmXZO1EjYhfJinVAhrmmHX6Z8B9k= diff --git a/jsonweb/token.go b/jsonweb/token.go index 21ed0a6e14c..f409e562c60 100644 --- a/jsonweb/token.go +++ b/jsonweb/token.go @@ -5,7 +5,7 @@ import ( "github.com/influxdata/influxdb/v2/kit/platform" - "github.com/dgrijalva/jwt-go" + "github.com/golang-jwt/jwt" "github.com/influxdata/influxdb/v2" ) diff --git a/jsonweb/token_test.go b/jsonweb/token_test.go index e69f56223cb..3af0ab101ef 100644 --- a/jsonweb/token_test.go +++ b/jsonweb/token_test.go @@ -6,7 +6,7 @@ import ( "github.com/influxdata/influxdb/v2/kit/platform" - "github.com/dgrijalva/jwt-go" + "github.com/golang-jwt/jwt" "github.com/google/go-cmp/cmp" "github.com/influxdata/influxdb/v2" )