Skip to content
This repository has been archived by the owner on May 21, 2022. It is now read-only.

Fix security issue with aud validation #429

Merged
merged 1 commit into from
Aug 2, 2021
Merged

Fix security issue with aud validation #429

merged 1 commit into from
Aug 2, 2021

Conversation

Waterdrips
Copy link
Contributor

Aud validation on the JWT was being bypassed if a list of claims was presented
to the server. This commit checks if the aud claim is a list of strings, if not
it checks if its a single string, if not it will return invalid

This fixes #422 #428

Signed-off-by: Alistair Hey alistair.hey@form3.tech

camin-mccluskey
camin-mccluskey approved these changes Sep 15, 2020
View reviewed changes
Copy link

@camin-mccluskey camin-mccluskey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@wpsmith
Copy link

wpsmith commented Sep 29, 2020

@dgrijalva can we get this merged? This is a vital security patch IMHO.

@lggomez
Copy link

lggomez commented Oct 1, 2020
edited
Loading

Due to golang/go#33908 it is not possible to perform go get on a PR so its either:

  • Waiting for @dgrijalva to merge this
  • Copypasting the entire fixed MapClaims from this package into your project and use it instead of jwtgo.MapClaims (and changing if vErr.valid() to if vErr.Errors == 0 to make it work)
  • Using @Waterdrips' fork of the package

@ripienaar
Copy link

For those following this PR please look at #428 where we are trying to get things back to a maintained state

@xntrik xntrik mentioned this pull request Oct 5, 2020
Closed
@mitar
Copy link

mitar commented Oct 19, 2020

This has already been done in #286 I think.

@Waterdrips Waterdrips mentioned this pull request May 29, 2021
Open
@Waterdrips
Fix security issue with aud validation
614772a 
    Aud validation on the JWT was being bypassed if a list of claims was presented
    to the server. This commit checks if the aud claim is a list of strings, if not
    it checks if its a single string, if not it will return invalid

Signed-off-by: Alistair Hey <alistair@heyal.co.uk>
@Waterdrips Waterdrips force-pushed the waterdrips-fix-cve branch from 6474ec9 to 614772a Compare July 10, 2021 07:15
@Waterdrips
Copy link
Contributor Author

applied the same patch as golang-jwt/jwt#12 as per #462 (comment)

@mfridman mfridman mentioned this pull request Jul 23, 2021
Closed
@dgrijalva dgrijalva merged commit 9742bd7 into dgrijalva:master Aug 2, 2021
@azr
Copy link

azr commented Sep 2, 2021

Hello there, do we know when/if this will be released. Thanks for the fix !

@ripienaar
Copy link

Hello there, do we know when/if this will be released. Thanks for the fix !

Please see repo golang-jwt/jwt where this project continues

@1046102779 1046102779 mentioned this pull request Dec 23, 2021
Merged
@zbud-msft zbud-msft mentioned this pull request Mar 18, 2022
Merged
6 tasks
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@camin-mccluskey camin-mccluskey camin-mccluskey approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Security Vulnerability: failed type assertion leads to bypassing Audience verification
8 participants
@Waterdrips @wpsmith @lggomez @ripienaar @mitar @azr @camin-mccluskey @dgrijalva