Splitted JWT must be checked runtime for string emptiness

lcobucci · Oct 12, 2022 · 938ed73 · 938ed73
1 parent 9ee686c
commit 938ed73
Show file tree

Hide file tree

Showing 4 changed files with 55 additions and 4 deletions.
diff --git a/Makefile b/Makefile
@@ -12,7 +12,7 @@ vendor/composer/installed.json: composer.json composer.lock
 
 .PHONY: phpunit
 phpunit:
-	@php -d assert.exception=1 -d zend.assertions=1 vendor/bin/phpunit
+	php -d assert.exception=1 -d zend.assertions=1 vendor/bin/phpunit $(PHPUNIT_FLAGS)
 
 .PHONY: infection
 infection:

diff --git a/src/Token/InvalidTokenStructure.php b/src/Token/InvalidTokenStructure.php
@@ -13,6 +13,16 @@ public static function missingOrNotEnoughSeparators(): self
         return new self('The JWT string must have two dots');
     }
 
+    public static function missingHeaderPart(): self
+    {
+        return new self('The JWT string is missing the Header part');
+    }
+
+    public static function missingClaimsPart(): self
+    {
+        return new self('The JWT string is missing the Claim part');
+    }
+
     public static function arrayExpected(string $part): self
     {
         return new self($part . ' must be an array');

diff --git a/src/Token/Parser.php b/src/Token/Parser.php
@@ -9,7 +9,6 @@
 use Lcobucci\JWT\Token as TokenInterface;
 
 use function array_key_exists;
-use function assert;
 use function count;
 use function explode;
 use function is_array;
@@ -27,8 +26,14 @@ public function __construct(private readonly Decoder $decoder)
     public function parse(string $jwt): TokenInterface
     {
         [$encodedHeaders, $encodedClaims, $encodedSignature] = $this->splitJwt($jwt);
-        assert($encodedHeaders !== '');
-        assert($encodedClaims !== '');
+
+        if ($encodedHeaders === '') {
+            throw InvalidTokenStructure::missingHeaderPart();
+        }
+
+        if ($encodedClaims === '') {
+            throw InvalidTokenStructure::missingClaimsPart();
+        }
 
         $header = $this->parseHeader($encodedHeaders);
 

diff --git a/test/unit/Token/ParserTest.php b/test/unit/Token/ParserTest.php
@@ -44,6 +44,42 @@ public function parseMustRaiseExceptionWhenTokenDoesNotHaveThreeParts(): void
         $parser->parse('.');
     }
 
+    /**
+     * @test
+     *
+     * @covers ::__construct
+     * @covers ::parse
+     * @covers ::splitJwt
+     * @covers \Lcobucci\JWT\Token\InvalidTokenStructure
+     */
+    public function parseMustRaiseExceptionWhenTokenDoesNotHaveHeaders(): void
+    {
+        $parser = $this->createParser();
+
+        $this->expectException(InvalidTokenStructure::class);
+        $this->expectExceptionMessage('The JWT string is missing the Header part');
+
+        $parser->parse('.b.c');
+    }
+
+    /**
+     * @test
+     *
+     * @covers ::__construct
+     * @covers ::parse
+     * @covers ::splitJwt
+     * @covers \Lcobucci\JWT\Token\InvalidTokenStructure
+     */
+    public function parseMustRaiseExceptionWhenTokenDoesNotHaveClaims(): void
+    {
+        $parser = $this->createParser();
+
+        $this->expectException(InvalidTokenStructure::class);
+        $this->expectExceptionMessage('The JWT string is missing the Claim part');
+
+        $parser->parse('a..c');
+    }
+
     /**
      * @test
      *