You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Here we are using flask_jwt_extended. There is a call in it that calls jwt.api_jwt.PyJWT.decode with a now disapeared parameter. The problem is that jwt.api_jwt.PyJWT.decode accepts any named parameters, and forwards them to jwt.jws_api.PyJWS.decode_complete. So a call that should fail is working but doing the wrong thing.
Moreover kwargs in jwt.jws_api.PyJWS.decode_complete isn't used at all. It looks suspicious.
Expected Result
If an API caller calls a function with bad parameter, an exception is raised immediately. **kwargs shouldn't be used as garbage parameters collection.
Actual Result
An exception is raised a few line later, masking the real problem of the wrong usage of the API
Reproduction Steps
importjwt# does not raise even if prout has never been a valid parameter.unverified_claims=jwt.decode(
encoded_token, verify=False, prout="bar",
)
The text was updated successfully, but these errors were encountered:
Here we are using flask_jwt_extended. There is a call in it that calls jwt.api_jwt.PyJWT.decode with a now disapeared parameter. The problem is that jwt.api_jwt.PyJWT.decode accepts any named parameters, and forwards them to jwt.jws_api.PyJWS.decode_complete. So a call that should fail is working but doing the wrong thing.
Moreover kwargs in jwt.jws_api.PyJWS.decode_complete isn't used at all. It looks suspicious.
Expected Result
If an API caller calls a function with bad parameter, an exception is raised immediately. **kwargs shouldn't be used as garbage parameters collection.
Actual Result
An exception is raised a few line later, masking the real problem of the wrong usage of the API
Reproduction Steps
The text was updated successfully, but these errors were encountered: