Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Example for jwt.Parse uses incorrect method for validating algorithm methods #424

Open
mattt opened this issue Dec 13, 2024 · 0 comments · May be fixed by #425
Open

Example for jwt.Parse uses incorrect method for validating algorithm methods #424

mattt opened this issue Dec 13, 2024 · 0 comments · May be fixed by #425

Comments

@mattt
Copy link

mattt commented Dec 13, 2024
edited
Loading

The ExampleParse_hmac function in hmac_example_test.go provides the following example code:

jwt/hmac_example_test.go

Lines 51 to 59 in bc8bdca

token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
// Don't forget to validate the alg is what you expect:
if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
}
// hmacSampleSecret is a []byte containing your secret, e.g. []byte("my_secret_key")
return hmacSampleSecret, nil
})

The validation performed on line 53 seems at odds with the recommendations in the Parse function docs:

jwt/parser.go

Lines 218 to 225 in bc8bdca

// Parse parses, validates, verifies the signature and returns the parsed token.
// keyFunc will receive the parsed token and should return the cryptographic key
// for verifying the signature. The caller is strongly encouraged to set the
// WithValidMethods option to validate the 'alg' claim in the token matches the
// expected algorithm. For more details about the importance of validating the
// 'alg' claim, see
// https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
func Parse(tokenString string, keyFunc Keyfunc, options ...ParserOption) (*Token, error) {

In this case, the type assertion tests whether token.Method can be safely converted to the *jwt.SigningMethodHMAC type. But a more specific check for HS256 seems more appropriate.

token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
	// hmacSampleSecret is a []byte containing your secret, e.g. []byte("my_secret_key")
	return hmacSampleSecret, nil
}, jwt.WithValidMethods([]string{jwt.SigningMethodHS256.Alg()}))

Or for all HMAC signing methods:

validMethods := []string{
	jwt.SigningMethodHS256.Alg(),
	jwt.SigningMethodHS384.Alg(),
	jwt.SigningMethodHS512.Alg(),
}
token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
	// hmacSampleSecret is a []byte containing your secret, e.g. []byte("my_secret_key")
	return hmacSampleSecret, nil
}, jwt.WithValidMethods(validMethods))
@mattt mattt linked a pull request Dec 13, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update jwt.Parse example to use jwt.WithValidMethods mattt/golang-jwt
1 participant
@mattt