-
Notifications
You must be signed in to change notification settings - Fork 996
Fix sec vuln with list of claims #426
Fix sec vuln with list of claims #426
Conversation
964bece
to
63de7be
Compare
…codeowners-1600076031644796752 [skip ci] Adding CODEOWNERS file
Signed-off-by: Alistair Hey <[email protected]>
Signed-off-by: Alistair Hey <[email protected]>
Signed-off-by: Alistair Hey <[email protected]>
Signed-off-by: Alistair Hey <[email protected]>
f8fbdb3
to
4ea2e3f
Compare
@@ -2,7 +2,7 @@ package jwt_test | |||
|
|||
import ( | |||
"fmt" | |||
"github.com/dgrijalva/jwt-go" | |||
"github.com/form3tech-oss/jwt-go" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why are this changes needed in example_test.go?
Functions should be named as Example - to have examples in godoc.
Also some external jwt-go is imported
if !ok { | ||
strAud, ok := m["aud"].(string) | ||
aud = append(aud, strAud) | ||
if !ok { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: if
should be before aud = append(aud, strAud)
oh sorry - we decided to fork and fix in our company org and I left this PR open |
but why closing it? :) I would be great to have vulnerability fix merged into upstream |
@Waterdrips Echoing @sev3ryn's comment - it would be ideal to have this fix live in the latest version. This is now categorised as a high severity vulnerability https://snyk.io/vuln/golang:github.com%2Fdgrijalva%2Fjwt-go and means we can no longer use the library in an enterprise environment |
theres an open PR addressing this from Match #385 which has not been addressed. We have taken the decision to fix this on our oss fork rather than wait for some activity here. |
@dgrijalva if you have time to merge a fix like this, then we can all dump our forks to /dev/null. What are your thoughts? |
Are we going to fix and bump the new version of the library? |
See #286 |
This PR adds a fix for #422
Tests were added for failing and passing states then the code was updated for the case in the JWT Spec that allows a list of "aud" as well as a single string "aud"
Signed-off-by: Alistair Hey [email protected]