From 9570bdf75ae81096243230c6a38a417d3e97cb11 Mon Sep 17 00:00:00 2001 From: lgtm <1gtm@users.noreply.github.com> Date: Sat, 9 Oct 2021 03:28:53 -0700 Subject: [PATCH] [cherry-pick] Fix jwt-go security vulnerability (#144) (#145) /cherry-pick Signed-off-by: 1gtm <1gtm@appscode.com> --- go.mod | 4 +- go.sum | 6 +- .../form3tech-oss/jwt-go/map_claims.go | 66 ++++++++++++------- vendor/modules.txt | 5 +- 4 files changed, 52 insertions(+), 29 deletions(-) diff --git a/go.mod b/go.mod index d8dba063..a2f92fdf 100644 --- a/go.mod +++ b/go.mod @@ -127,4 +127,6 @@ replace sigs.k8s.io/application => github.com/kmodules/application v0.8.4-0.2021 replace github.com/satori/go.uuid => github.com/gofrs/uuid v4.0.0+incompatible -replace github.com/dgrijalva/jwt-go => github.com/golang-jwt/jwt v3.2.1+incompatible +replace github.com/dgrijalva/jwt-go => github.com/golang-jwt/jwt v3.2.2+incompatible + +replace github.com/form3tech-oss/jwt-go => github.com/form3tech-oss/jwt-go v3.2.5+incompatible diff --git a/go.sum b/go.sum index 4658dc96..f13e1404 100644 --- a/go.sum +++ b/go.sum @@ -184,8 +184,8 @@ github.com/fatih/structs v1.1.0 h1:Q7juDM0QtcnhCpeyLGQKyg4TOIghuNXrkL32pHAUMxo= github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M= github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc= github.com/fogleman/gg v1.2.1-0.20190220221249-0403632d5b90/go.mod h1:R/bRT+9gY/C5z7JzPU0zXsXHKM4/ayA+zqcVNZzPa1k= -github.com/form3tech-oss/jwt-go v3.2.2+incompatible h1:TcekIExNqud5crz4xD2pavyTgWiPvpYe4Xau31I0PRk= -github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= +github.com/form3tech-oss/jwt-go v3.2.5+incompatible h1:/l4kBbb4/vGSsdtB5nUe8L7B9mImVMaBPw9L/0TBHU8= +github.com/form3tech-oss/jwt-go v3.2.5+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= github.com/franela/goblin v0.0.0-20200105215937-c9ffbefa60db/go.mod h1:7dvUGVsVBjqR7JHJk0brhHOZYGmfBYOrK0ZhYMEtBr4= github.com/franela/goreq v0.0.0-20171204163338-bcd34c9993f8/go.mod h1:ZhphrRTfi2rbfLwlschooIH4+wKKDR4Pdxhh+TRoA20= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= @@ -235,7 +235,7 @@ github.com/godbus/dbus/v5 v5.0.3/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5x github.com/gofrs/uuid v4.0.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= -github.com/golang-jwt/jwt v3.2.1+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I= +github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I= github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0/go.mod h1:E/TSTwGwJL78qG/PmXZO1EjYhfJinVAhrmmHX6Z8B9k= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= diff --git a/vendor/github.com/form3tech-oss/jwt-go/map_claims.go b/vendor/github.com/form3tech-oss/jwt-go/map_claims.go index 90ab6bea..14b434ce 100644 --- a/vendor/github.com/form3tech-oss/jwt-go/map_claims.go +++ b/vendor/github.com/form3tech-oss/jwt-go/map_claims.go @@ -13,45 +13,61 @@ type MapClaims map[string]interface{} // Compares the aud claim against cmp. // If required is false, this method will return true if the value matches or is unset func (m MapClaims) VerifyAudience(cmp string, req bool) bool { - aud, ok := m["aud"].([]string) - if !ok { - strAud, ok := m["aud"].(string) - if !ok { - return false + var aud []string + switch v := m["aud"].(type) { + case []string: + aud = v + case []interface{}: + for _, a := range v { + vs, ok := a.(string) + if !ok { + return false + } + aud = append(aud, vs) } - aud = append(aud, strAud) + case string: + aud = append(aud, v) + default: + return false } - return verifyAud(aud, cmp, req) } // Compares the exp claim against cmp. // If required is false, this method will return true if the value matches or is unset func (m MapClaims) VerifyExpiresAt(cmp int64, req bool) bool { - switch exp := m["exp"].(type) { + exp, ok := m["exp"] + if !ok { + return !req + } + switch expType := exp.(type) { case float64: - return verifyExp(int64(exp), cmp, req) + return verifyExp(int64(expType), cmp, req) case json.Number: - v, _ := exp.Int64() + v, _ := expType.Int64() return verifyExp(v, cmp, req) } - return req == false + return false } // Compares the iat claim against cmp. // If required is false, this method will return true if the value matches or is unset func (m MapClaims) VerifyIssuedAt(cmp int64, req bool) bool { - switch iat := m["iat"].(type) { + iat, ok := m["iat"] + if !ok { + return !req + } + switch iatType := iat.(type) { case float64: - return verifyIat(int64(iat), cmp, req) + return verifyIat(int64(iatType), cmp, req) case json.Number: - v, _ := iat.Int64() + v, _ := iatType.Int64() return verifyIat(v, cmp, req) } - return req == false + return false } -// Compares the iss claim against cmp. +// Compares the iss claim against cmp.`` // If required is false, this method will return true if the value matches or is unset func (m MapClaims) VerifyIssuer(cmp string, req bool) bool { iss, _ := m["iss"].(string) @@ -61,14 +77,18 @@ func (m MapClaims) VerifyIssuer(cmp string, req bool) bool { // Compares the nbf claim against cmp. // If required is false, this method will return true if the value matches or is unset func (m MapClaims) VerifyNotBefore(cmp int64, req bool) bool { - switch nbf := m["nbf"].(type) { + nbf, ok := m["nbf"] + if !ok { + return !req + } + switch nbfType := nbf.(type) { case float64: - return verifyNbf(int64(nbf), cmp, req) + return verifyNbf(int64(nbfType), cmp, req) case json.Number: - v, _ := nbf.Int64() + v, _ := nbfType.Int64() return verifyNbf(v, cmp, req) } - return req == false + return false } // Validates time based claims "exp, iat, nbf". @@ -79,17 +99,17 @@ func (m MapClaims) Valid() error { vErr := new(ValidationError) now := TimeFunc().Unix() - if m.VerifyExpiresAt(now, false) == false { + if !m.VerifyExpiresAt(now, false) { vErr.Inner = errors.New("Token is expired") vErr.Errors |= ValidationErrorExpired } - if m.VerifyIssuedAt(now, false) == false { + if !m.VerifyIssuedAt(now, false) { vErr.Inner = errors.New("Token used before issued") vErr.Errors |= ValidationErrorIssuedAt } - if m.VerifyNotBefore(now, false) == false { + if !m.VerifyNotBefore(now, false) { vErr.Inner = errors.New("Token is not valid yet") vErr.Errors |= ValidationErrorNotValidYet } diff --git a/vendor/modules.txt b/vendor/modules.txt index 93c2242c..128c881f 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -36,7 +36,7 @@ github.com/emicklei/go-restful/log github.com/evanphx/json-patch # github.com/fatih/structs v1.1.0 github.com/fatih/structs -# github.com/form3tech-oss/jwt-go v3.2.2+incompatible +# github.com/form3tech-oss/jwt-go v3.2.2+incompatible => github.com/form3tech-oss/jwt-go v3.2.5+incompatible github.com/form3tech-oss/jwt-go # github.com/go-logr/logr v0.4.0 github.com/go-logr/logr @@ -655,4 +655,5 @@ stash.appscode.dev/apimachinery/pkg/util # k8s.io/utils => k8s.io/utils v0.0.0-20201110183641-67b214c5f920 # sigs.k8s.io/application => github.com/kmodules/application v0.8.4-0.20210427030912-90eeee3bc4ad # github.com/satori/go.uuid => github.com/gofrs/uuid v4.0.0+incompatible -# github.com/dgrijalva/jwt-go => github.com/golang-jwt/jwt v3.2.1+incompatible +# github.com/dgrijalva/jwt-go => github.com/golang-jwt/jwt v3.2.2+incompatible +# github.com/form3tech-oss/jwt-go => github.com/form3tech-oss/jwt-go v3.2.5+incompatible