From 5064b130e006feeeda2e4d6e43c33a151389b87e Mon Sep 17 00:00:00 2001 From: "J. Emrys Landivar" Date: Mon, 2 Aug 2021 14:13:18 -0500 Subject: [PATCH] security: switch to github.com/golang-jwt/jwt (#2601) This switches our jwt library because of a security bug in github.com/dgrijalva/jwt-go --- LICENSE_OF_DEPENDENCIES.md | 2 +- go.mod | 2 +- go.sum | 2 ++ influxdb/token_client.go | 2 +- server/server_test.go | 2 +- services/auth/meta/client.go | 2 +- services/httpd/handler.go | 2 +- 7 files changed, 8 insertions(+), 6 deletions(-) diff --git a/LICENSE_OF_DEPENDENCIES.md b/LICENSE_OF_DEPENDENCIES.md index 64481609d..090b5d41d 100644 --- a/LICENSE_OF_DEPENDENCIES.md +++ b/LICENSE_OF_DEPENDENCIES.md @@ -4,7 +4,7 @@ Dependencies * github.com/BurntSushi/toml [MIT](https://github.com/BurntSushi/toml/blob/master/COPYING) * github.com/boltdb/bolt [MIT](https://github.com/boltdb/bolt/blob/master/LICENSE) * github.com/cenkalti/backoff [MIT](https://github.com/cenkalti/backoff/blob/master/LICENSE) -* github.com/dgrijalva/jwt-go [MIT](https://github.com/dgrijalva/jwt-go/blob/master/LICENSE) +* github.com/golang-jwt/jwt [MIT](https://github.com/golang-jwt/jwt/blob/master/LICENSE) * github.com/dustin/go-humanize [MIT](https://github.com/dustin/go-humanize/blob/master/LICENSE) * github.com/golang/protobuf [BSD](https://github.com/golang/protobuf/blob/master/LICENSE) * github.com/google/uuid [BSD](https://github.com/google/uuid/blob/master/LICENSE) diff --git a/go.mod b/go.mod index e530f6e26..3aac584b7 100644 --- a/go.mod +++ b/go.mod @@ -12,7 +12,6 @@ require ( github.com/cenkalti/backoff v2.2.1+incompatible github.com/cespare/xxhash v1.1.0 github.com/davecgh/go-spew v1.1.1 - github.com/dgrijalva/jwt-go v3.2.0+incompatible github.com/dgryski/go-bits v0.0.0-20180113010104-bd8a69a71dc2 // indirect github.com/docker/docker v20.10.5+incompatible github.com/dustin/go-humanize v1.0.0 @@ -21,6 +20,7 @@ require ( github.com/frankban/quicktest v1.11.0 // indirect github.com/geoffgarside/ber v0.0.0-20170306085127-854377f11dfb // indirect github.com/ghodss/yaml v1.0.0 + github.com/golang-jwt/jwt v3.2.2+incompatible github.com/golang/protobuf v1.4.3 github.com/google/btree v1.0.0 github.com/google/go-cmp v0.5.5 diff --git a/go.sum b/go.sum index bbc7c2e0a..e6e7321f6 100644 --- a/go.sum +++ b/go.sum @@ -473,6 +473,8 @@ github.com/gogo/protobuf v1.2.2-0.20190730201129-28a6bbf47e48/go.mod h1:SlYgWuQ5 github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY= +github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I= github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe h1:lXe2qZdvpiX5WZkZR4hgp4KJVfY3nMkvmwbVkpv1rVY= github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0= github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0/go.mod h1:E/TSTwGwJL78qG/PmXZO1EjYhfJinVAhrmmHX6Z8B9k= diff --git a/influxdb/token_client.go b/influxdb/token_client.go index c9c500f69..d18aa8abf 100644 --- a/influxdb/token_client.go +++ b/influxdb/token_client.go @@ -6,7 +6,7 @@ import ( "sync/atomic" "time" - "github.com/dgrijalva/jwt-go" + "github.com/golang-jwt/jwt" "github.com/influxdata/flux" "github.com/influxdata/kapacitor/keyvalue" "github.com/pkg/errors" diff --git a/server/server_test.go b/server/server_test.go index b1a26ad59..0cd080c25 100644 --- a/server/server_test.go +++ b/server/server_test.go @@ -27,7 +27,7 @@ import ( "time" "github.com/davecgh/go-spew/spew" - jwt "github.com/dgrijalva/jwt-go" + jwt "github.com/golang-jwt/jwt" "github.com/google/go-cmp/cmp" "github.com/influxdata/flux/fluxinit" iclient "github.com/influxdata/influxdb/client/v2" diff --git a/services/auth/meta/client.go b/services/auth/meta/client.go index f83dae1bf..25d82b46c 100644 --- a/services/auth/meta/client.go +++ b/services/auth/meta/client.go @@ -18,7 +18,7 @@ import ( "net/url" "time" - "github.com/dgrijalva/jwt-go" + "github.com/golang-jwt/jwt" ) const controlClientUA = "InfluxDB Cluster Client" diff --git a/services/httpd/handler.go b/services/httpd/handler.go index a0bf007e1..daa55cb48 100644 --- a/services/httpd/handler.go +++ b/services/httpd/handler.go @@ -13,7 +13,7 @@ import ( "strings" "time" - "github.com/dgrijalva/jwt-go" + "github.com/golang-jwt/jwt" "github.com/influxdata/influxdb" "github.com/influxdata/influxdb/influxql" "github.com/influxdata/influxdb/models"