From 938ed73d12d3da8420064a4e364d68cbaf66fc62 Mon Sep 17 00:00:00 2001 From: Filippo Tessarotto Date: Wed, 12 Oct 2022 14:41:54 +0200 Subject: [PATCH] Splitted JWT must be checked runtime for string emptiness --- Makefile | 2 +- src/Token/InvalidTokenStructure.php | 10 ++++++++ src/Token/Parser.php | 11 ++++++--- test/unit/Token/ParserTest.php | 36 +++++++++++++++++++++++++++++ 4 files changed, 55 insertions(+), 4 deletions(-) diff --git a/Makefile b/Makefile index 70027dadd..9af6a02c7 100644 --- a/Makefile +++ b/Makefile @@ -12,7 +12,7 @@ vendor/composer/installed.json: composer.json composer.lock .PHONY: phpunit phpunit: - @php -d assert.exception=1 -d zend.assertions=1 vendor/bin/phpunit + php -d assert.exception=1 -d zend.assertions=1 vendor/bin/phpunit $(PHPUNIT_FLAGS) .PHONY: infection infection: diff --git a/src/Token/InvalidTokenStructure.php b/src/Token/InvalidTokenStructure.php index 49c284096..7abb6c3a2 100644 --- a/src/Token/InvalidTokenStructure.php +++ b/src/Token/InvalidTokenStructure.php @@ -13,6 +13,16 @@ public static function missingOrNotEnoughSeparators(): self return new self('The JWT string must have two dots'); } + public static function missingHeaderPart(): self + { + return new self('The JWT string is missing the Header part'); + } + + public static function missingClaimsPart(): self + { + return new self('The JWT string is missing the Claim part'); + } + public static function arrayExpected(string $part): self { return new self($part . ' must be an array'); diff --git a/src/Token/Parser.php b/src/Token/Parser.php index 8e21ba9a7..c82733afd 100644 --- a/src/Token/Parser.php +++ b/src/Token/Parser.php @@ -9,7 +9,6 @@ use Lcobucci\JWT\Token as TokenInterface; use function array_key_exists; -use function assert; use function count; use function explode; use function is_array; @@ -27,8 +26,14 @@ public function __construct(private readonly Decoder $decoder) public function parse(string $jwt): TokenInterface { [$encodedHeaders, $encodedClaims, $encodedSignature] = $this->splitJwt($jwt); - assert($encodedHeaders !== ''); - assert($encodedClaims !== ''); + + if ($encodedHeaders === '') { + throw InvalidTokenStructure::missingHeaderPart(); + } + + if ($encodedClaims === '') { + throw InvalidTokenStructure::missingClaimsPart(); + } $header = $this->parseHeader($encodedHeaders); diff --git a/test/unit/Token/ParserTest.php b/test/unit/Token/ParserTest.php index 26d25b19d..8bbb5b1c7 100644 --- a/test/unit/Token/ParserTest.php +++ b/test/unit/Token/ParserTest.php @@ -44,6 +44,42 @@ public function parseMustRaiseExceptionWhenTokenDoesNotHaveThreeParts(): void $parser->parse('.'); } + /** + * @test + * + * @covers ::__construct + * @covers ::parse + * @covers ::splitJwt + * @covers \Lcobucci\JWT\Token\InvalidTokenStructure + */ + public function parseMustRaiseExceptionWhenTokenDoesNotHaveHeaders(): void + { + $parser = $this->createParser(); + + $this->expectException(InvalidTokenStructure::class); + $this->expectExceptionMessage('The JWT string is missing the Header part'); + + $parser->parse('.b.c'); + } + + /** + * @test + * + * @covers ::__construct + * @covers ::parse + * @covers ::splitJwt + * @covers \Lcobucci\JWT\Token\InvalidTokenStructure + */ + public function parseMustRaiseExceptionWhenTokenDoesNotHaveClaims(): void + { + $parser = $this->createParser(); + + $this->expectException(InvalidTokenStructure::class); + $this->expectExceptionMessage('The JWT string is missing the Claim part'); + + $parser->parse('a..c'); + } + /** * @test *