From 1b28605532373fa7688fcab875b45503ae393563 Mon Sep 17 00:00:00 2001
From: Alex Lokshin <alokshin@chanzuckerberg.com>
Date: Thu, 2 Jan 2025 13:15:45 -0500
Subject: [PATCH] fix: Go JOSE vulnerable to Improper Handling of Highly
 Compressed Data (Data Amplification) (#1090)

Co-authored-by: alexlokshin-czi <alexlokshin-czi@users.noreply.github.com>
---
 oidc_cli/go.mod                  | 3 ++-
 oidc_cli/go.sum                  | 2 ++
 oidc_cli/oidc_impl/rsa-keygen.go | 2 +-
 3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/oidc_cli/go.mod b/oidc_cli/go.mod
index 89df2145..410dcdd4 100644
--- a/oidc_cli/go.mod
+++ b/oidc_cli/go.mod
@@ -19,7 +19,7 @@ require (
 	github.com/zalando/go-keyring v0.2.4
 	golang.org/x/crypto v0.31.0
 	golang.org/x/oauth2 v0.18.0
-	gopkg.in/square/go-jose.v2 v2.6.0
+	gopkg.in/go-jose/go-jose.v2 v2.6.3
 )
 
 require (
@@ -37,6 +37,7 @@ require (
 	golang.org/x/sys v0.28.0 // indirect
 	google.golang.org/appengine v1.6.8 // indirect
 	google.golang.org/protobuf v1.33.0 // indirect
+	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
 
diff --git a/oidc_cli/go.sum b/oidc_cli/go.sum
index f0aac699..1e81f7ce 100644
--- a/oidc_cli/go.sum
+++ b/oidc_cli/go.sum
@@ -106,6 +106,8 @@ google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHh
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/go-jose/go-jose.v2 v2.6.3 h1:nt80fvSDlhKWQgSWyHyy5CfmlQr+asih51R8PTWNKKs=
+gopkg.in/go-jose/go-jose.v2 v2.6.3/go.mod h1:zzZDPkNNw/c9IE7Z9jr11mBZQhKQTMzoEEIoEdZlFBI=
 gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI=
 gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
diff --git a/oidc_cli/oidc_impl/rsa-keygen.go b/oidc_cli/oidc_impl/rsa-keygen.go
index 9b1c814a..06059a8c 100644
--- a/oidc_cli/oidc_impl/rsa-keygen.go
+++ b/oidc_cli/oidc_impl/rsa-keygen.go
@@ -8,7 +8,7 @@ import (
 	"os"
 
 	"golang.org/x/crypto/ssh"
-	"gopkg.in/square/go-jose.v2"
+	"gopkg.in/go-jose/go-jose.v2"
 )
 
 // Generate new RSA keys.