Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verify JWT header format #622

Merged
merged 1 commit into from
Sep 30, 2024
Merged

Verify JWT header format #622

merged 1 commit into from
Sep 30, 2024

Conversation

304
Copy link
Contributor

@304 304 commented Sep 30, 2024
edited
Loading

Description

JWT header is expected to be a hash. However, it's possible to generate a token that defines header as an Array []. This case is not handled by the application and leads to TypeError: no implicit conversion of String into Integer.

Solution

Add a verification for an header type before accessing hash elements.

Checklist

Before the PR can be merged be sure the following are checked:

  • There are tests for the fix or feature added/changed
  • A description of the changes and a reference to the PR has been added to CHANGELOG.md. More details in the CONTRIBUTING.md

@304 304 force-pushed the fix_invalid_header_format branch 2 times, most recently from d96643b to abd8816 Compare September 30, 2024 09:34
anakinj
anakinj requested changes Sep 30, 2024
View reviewed changes
Copy link
Member

@anakinj anakinj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for looking at this. Do you think it would make sense to handle this case separately?

lib/jwt/decode.rb Outdated
@@ -135,7 +135,7 @@ def decode_signature
end

def alg_in_header
header['alg']
header.is_a?(Hash) && header['alg']
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would maybe like to have the type concern separated from checking the alg value.

For example a separate guard in #verify_algo

   def verify_algo
      raise JWT::IncorrectAlgorithm, 'An algorithm must be specified' if allowed_algorithms.empty?
      raise JWT::DecodeError, 'Token header not a JSON object' unless header.is_a?(Hash)
      raise JWT::IncorrectAlgorithm, 'Token is missing alg header' unless alg_in_header
      raise JWT::IncorrectAlgorithm, 'Expected a different algorithm' if allowed_and_valid_algorithms.empty?
    end

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good idea @anakinj! 👍 Thank you, I've applied your suggestion.

@anakinj
Copy link
Member

anakinj commented Sep 30, 2024

This change is also a fix to #470

@304
Verify JWT header format
5767e79 
**Problem**

JWT header is expected to be a hash. However, it's possible to generate
a token that defines header as an Array `[]`. This case is not handled
by the application and leads to `TypeError: no implicit conversion of
String into Integer`.

**Solution**

Add a verification for an header type before accessing hash elements.
@304 304 requested a review from anakinj September 30, 2024 13:50
@anakinj anakinj merged commit 685a245 into jwt:main Sep 30, 2024
34 checks passed
@anakinj
Copy link
Member

anakinj commented Sep 30, 2024

Great work. Thanks @304 for the effort.

@304 304 deleted the fix_invalid_header_format branch October 1, 2024 08:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@anakinj anakinj anakinj approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@304 @anakinj