Skip to content

Commit

Permalink
chore: upgrade to golang-jwt 3.2.1 to fix CVE-2020-26160
Browse files Browse the repository at this point in the history
CVE-2020-26160[0] is an access restriction bypass under certain
circumstances when validating audience checks. The original
dgrijalva/jwt-go project is no longer maintained[1] and will not be
issuing a fix for this CVE[2]. Instead, they have transferred ownership
to golang-jwt/jwt[2][3][4].

The following was performed:

1. update chronograf and jsonweb to import golang-jwt/jwt
2. go mod edit -require github.com/golang-jwt/jwt@v3.2.1+incompatible
3. go mod edit -droprequire github.com/dgrijalva/jwt-go
4. go mod tidy
5. make
6. make test

References:
[0] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26160
[1] dgrijalva/jwt-go#462
[2] dgrijalva/jwt-go#463
[3] https://github.com/dgrijalva/jwt-go/blob/master/README.md
[4] https://github.com/golang-jwt/jwt
  • Loading branch information
jdstrand committed Jul 23, 2021
1 parent e5c9c2d commit 313e803
Show file tree
Hide file tree
Showing 7 changed files with 8 additions and 5 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ Because of the version bump to `go`, the macOS build for this release requires a
1. [21839](https://github.com/influxdata/influxdb/pull/21839): Fix display and parsing of `influxd upgrade` CLI prompts in PowerShell.
1. [21898](https://github.com/influxdata/influxdb/pull/21898): Removed unused `chronograf-migator` package & chronograf API service, and updated various "chronograf" references.
1. [21919](https://github.com/influxdata/influxdb/pull/21919): Fix display and parsing of interactive `influx` CLI prompts in PowerShell.
1. [21941](https://github.com/influxdata/influxdb/pull/#21941): Upgrade to golang-jwt 3.2.1.

## v2.0.7 [2021-06-04]
----------------------
Expand Down
2 changes: 1 addition & 1 deletion chronograf/influx/authorization.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ import (
"net/http"
"time"

jwt "github.com/dgrijalva/jwt-go"
jwt "github.com/golang-jwt/jwt"
"github.com/influxdata/influxdb/v2/chronograf"
)

Expand Down
2 changes: 1 addition & 1 deletion chronograf/influx/influx_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ import (
"testing"
"time"

gojwt "github.com/dgrijalva/jwt-go"
gojwt "github.com/golang-jwt/jwt"
"github.com/influxdata/influxdb/v2/chronograf"
"github.com/influxdata/influxdb/v2/chronograf/influx"
"github.com/influxdata/influxdb/v2/chronograf/mocks"
Expand Down
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,6 @@ require (
github.com/buger/jsonparser v0.0.0-20191004114745-ee4c978eae7e
github.com/cespare/xxhash v1.1.0
github.com/davecgh/go-spew v1.1.1
github.com/dgrijalva/jwt-go v3.2.0+incompatible
github.com/dgryski/go-bitstream v0.0.0-20180413035011-3522498ce2c8
github.com/docker/docker v1.13.1 // indirect
github.com/dustin/go-humanize v1.0.0
Expand All @@ -29,6 +28,7 @@ require (
github.com/go-chi/chi v4.1.0+incompatible
github.com/go-stack/stack v1.8.0
github.com/gogo/protobuf v1.3.2
github.com/golang-jwt/jwt v3.2.1+incompatible
github.com/golang/gddo v0.0.0-20181116215533-9bd4a3295021
github.com/golang/mock v1.5.0
github.com/golang/protobuf v1.3.3
Expand Down
2 changes: 2 additions & 0 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -216,6 +216,8 @@ github.com/gogo/protobuf v1.2.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7a
github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
github.com/golang-jwt/jwt v3.2.1+incompatible h1:73Z+4BJcrTC+KczS6WvTPvRGOp1WmfEP4Q1lOd9Z/+c=
github.com/golang-jwt/jwt v3.2.1+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe h1:lXe2qZdvpiX5WZkZR4hgp4KJVfY3nMkvmwbVkpv1rVY=
github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0=
github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0/go.mod h1:E/TSTwGwJL78qG/PmXZO1EjYhfJinVAhrmmHX6Z8B9k=
Expand Down
2 changes: 1 addition & 1 deletion jsonweb/token.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ package jsonweb
import (
"errors"

"github.com/dgrijalva/jwt-go"
"github.com/golang-jwt/jwt"
"github.com/influxdata/influxdb/v2"
)

Expand Down
2 changes: 1 addition & 1 deletion jsonweb/token_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ import (
"reflect"
"testing"

"github.com/dgrijalva/jwt-go"
"github.com/golang-jwt/jwt"
"github.com/google/go-cmp/cmp"
"github.com/influxdata/influxdb/v2"
)
Expand Down

0 comments on commit 313e803

Please sign in to comment.