From 313e8038c2afdd454b8c174d8ff697ba95b683bb Mon Sep 17 00:00:00 2001 From: Jamie Strandboge Date: Thu, 22 Jul 2021 14:53:23 -0500 Subject: [PATCH] chore: upgrade to golang-jwt 3.2.1 to fix CVE-2020-26160 CVE-2020-26160[0] is an access restriction bypass under certain circumstances when validating audience checks. The original dgrijalva/jwt-go project is no longer maintained[1] and will not be issuing a fix for this CVE[2]. Instead, they have transferred ownership to golang-jwt/jwt[2][3][4]. The following was performed: 1. update chronograf and jsonweb to import golang-jwt/jwt 2. go mod edit -require github.com/golang-jwt/jwt@v3.2.1+incompatible 3. go mod edit -droprequire github.com/dgrijalva/jwt-go 4. go mod tidy 5. make 6. make test References: [0] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26160 [1] dgrijalva/jwt-go#462 [2] dgrijalva/jwt-go#463 [3] https://github.com/dgrijalva/jwt-go/blob/master/README.md [4] https://github.com/golang-jwt/jwt --- CHANGELOG.md | 1 + chronograf/influx/authorization.go | 2 +- chronograf/influx/influx_test.go | 2 +- go.mod | 2 +- go.sum | 2 ++ jsonweb/token.go | 2 +- jsonweb/token_test.go | 2 +- 7 files changed, 8 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e233dd2878c..ea9530610b9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -36,6 +36,7 @@ Because of the version bump to `go`, the macOS build for this release requires a 1. [21839](https://github.com/influxdata/influxdb/pull/21839): Fix display and parsing of `influxd upgrade` CLI prompts in PowerShell. 1. [21898](https://github.com/influxdata/influxdb/pull/21898): Removed unused `chronograf-migator` package & chronograf API service, and updated various "chronograf" references. 1. [21919](https://github.com/influxdata/influxdb/pull/21919): Fix display and parsing of interactive `influx` CLI prompts in PowerShell. +1. [21941](https://github.com/influxdata/influxdb/pull/#21941): Upgrade to golang-jwt 3.2.1. ## v2.0.7 [2021-06-04] ---------------------- diff --git a/chronograf/influx/authorization.go b/chronograf/influx/authorization.go index 7c0d2f6c193..95f26c2f753 100644 --- a/chronograf/influx/authorization.go +++ b/chronograf/influx/authorization.go @@ -5,7 +5,7 @@ import ( "net/http" "time" - jwt "github.com/dgrijalva/jwt-go" + jwt "github.com/golang-jwt/jwt" "github.com/influxdata/influxdb/v2/chronograf" ) diff --git a/chronograf/influx/influx_test.go b/chronograf/influx/influx_test.go index 3f9ec3ea7c8..0c70870bb40 100644 --- a/chronograf/influx/influx_test.go +++ b/chronograf/influx/influx_test.go @@ -10,7 +10,7 @@ import ( "testing" "time" - gojwt "github.com/dgrijalva/jwt-go" + gojwt "github.com/golang-jwt/jwt" "github.com/influxdata/influxdb/v2/chronograf" "github.com/influxdata/influxdb/v2/chronograf/influx" "github.com/influxdata/influxdb/v2/chronograf/mocks" diff --git a/go.mod b/go.mod index 3be55b54c66..38d798c18a8 100644 --- a/go.mod +++ b/go.mod @@ -14,7 +14,6 @@ require ( github.com/buger/jsonparser v0.0.0-20191004114745-ee4c978eae7e github.com/cespare/xxhash v1.1.0 github.com/davecgh/go-spew v1.1.1 - github.com/dgrijalva/jwt-go v3.2.0+incompatible github.com/dgryski/go-bitstream v0.0.0-20180413035011-3522498ce2c8 github.com/docker/docker v1.13.1 // indirect github.com/dustin/go-humanize v1.0.0 @@ -29,6 +28,7 @@ require ( github.com/go-chi/chi v4.1.0+incompatible github.com/go-stack/stack v1.8.0 github.com/gogo/protobuf v1.3.2 + github.com/golang-jwt/jwt v3.2.1+incompatible github.com/golang/gddo v0.0.0-20181116215533-9bd4a3295021 github.com/golang/mock v1.5.0 github.com/golang/protobuf v1.3.3 diff --git a/go.sum b/go.sum index 418e10c4c13..78fc0bf5ba4 100644 --- a/go.sum +++ b/go.sum @@ -216,6 +216,8 @@ github.com/gogo/protobuf v1.2.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7a github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +github.com/golang-jwt/jwt v3.2.1+incompatible h1:73Z+4BJcrTC+KczS6WvTPvRGOp1WmfEP4Q1lOd9Z/+c= +github.com/golang-jwt/jwt v3.2.1+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I= github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe h1:lXe2qZdvpiX5WZkZR4hgp4KJVfY3nMkvmwbVkpv1rVY= github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0= github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0/go.mod h1:E/TSTwGwJL78qG/PmXZO1EjYhfJinVAhrmmHX6Z8B9k= diff --git a/jsonweb/token.go b/jsonweb/token.go index da29723d96b..968ade5c804 100644 --- a/jsonweb/token.go +++ b/jsonweb/token.go @@ -3,7 +3,7 @@ package jsonweb import ( "errors" - "github.com/dgrijalva/jwt-go" + "github.com/golang-jwt/jwt" "github.com/influxdata/influxdb/v2" ) diff --git a/jsonweb/token_test.go b/jsonweb/token_test.go index cda65f8c62e..3991bc4e0fd 100644 --- a/jsonweb/token_test.go +++ b/jsonweb/token_test.go @@ -4,7 +4,7 @@ import ( "reflect" "testing" - "github.com/dgrijalva/jwt-go" + "github.com/golang-jwt/jwt" "github.com/google/go-cmp/cmp" "github.com/influxdata/influxdb/v2" )