High severity issue in github.com/dgrijalva/jwt-go #1026
Comments
sagikazarmark
changed the title
|
If you're referring to the fork at github.com/form3tech-oss/jwt-go, there's a bug in the code that doesn't properly handle the audience claim. The RFC specifies the AUD claim can either be a string or an array of strings. The code in the fork assumes it's an array of string and any AUD claim with a string (e.g. Azure AD id tokens) will cause a panic. |
|
Thanks for pointing that out, I didn't know that. I guess we are better off with go-jose then. |
|
Happy to take a PR which migrates to the other package. |
|
If you look at the bottom, it appears to be fixed in the v4 version, which has been tagged "preview" for a bit but that's what we're using internally for what it's worth. |
|
This vulnerability is real problem when you are reusing token signing keys for different applications and have coded explicit rule that But does it even make sense in security perspective to have a rule - it is OK when |
|
Is there an outcome here? What should we be doing? |
|
This weekend I started replacing the dgrijalva/jwt-go libary usage with the square/go-jose library to see how this would pan-out. This will be a breaking change to use kit/auth/jwt since the existing NewSigner and NewParser funcs take parameters that are specific to the dgrijalva library. They have to be replaced with the equivalent go-jose library parameters to keep close to the intent of the two funcs. We can go that route or try to make those funcs a bit more generic so that the implementation returned in the endpoint.Endpoint can be more easily replaced/maintained in the future. Thoughts? |
|
is it jwt-go problem when developer writes in their application I mean - when it makes sense to optionally check that kind of info? |
|
Sadly, go-jose seems to have its own issues: dunglas/mercure#394 (comment) Vulnerabilities is one problem. Maintenance is another. The currently used jwt library is not maintained. Sending a PR is on my todolist, but didn't have the time so far. |
|
So after digging and having the same issue. I think the solution here will be to use https://github.com/golang-jwt/jwt. It's a maintained fork from dgrijalva/jwt-go#428 |
I tried to use https://github.com/golang-jwt/jwt. but I got the following error cannot use keys (type func(*"github.com/golang-jwt/jwt".Token) (interface {}, error)) as type "github.com/dgrijalva/jwt-go".Keyfunc in argument to "github.com/go-kit/kit/auth/jwt".NewParser |
|
Because go-kit hasn‘t made the switch yet. |
|
Submitted #1172 to switch to https://github.com/golang-jwt/jwt. Kept things very simple. Hope that works and it's possible to do a hotfix release if all is fine and PR is merged. |
|
Not sure a hotfix is the right approach as this is a breaking change. |
|
Ah, indeed that's a breaking change, I was too fast, sorry for that. |
go-kit 0.11.0 has a dependency on github.com/dgrijalva/jwt-go which has a few vulns. Namely dgrijalva/jwt-go#428. go-kit switched to the properly maintained fork in go-kit/kit#1026 so this commit bumps up to 0.12.0 in order to pick up that change and remove the dependency on the vulnerable lib
go-kit 0.11.0 has a dependency on github.com/dgrijalva/jwt-go which has a few vulns. Namely dgrijalva/jwt-go#428. go-kit switched to the properly maintained fork in go-kit/kit#1026 so this commit bumps up to 0.12.0 in order to pick up that change and remove the dependency on the vulnerable lib
go-kit 0.11.0 has a dependency on github.com/dgrijalva/jwt-go which has a few vulns. Namely dgrijalva/jwt-go#428. go-kit switched to the properly maintained fork in go-kit/kit#1026 so this commit bumps up to 0.12.0 in order to pick up that change and remove the dependency on the vulnerable lib Signed-off-by: Colin Douch <iam@colindou.ch>
go-kit 0.11.0 has a dependency on github.com/dgrijalva/jwt-go which has a few vulns. Namely dgrijalva/jwt-go#428. go-kit switched to the properly maintained fork in go-kit/kit#1026 so this commit bumps up to 0.12.0 in order to pick up that change and remove the dependency on the vulnerable lib Signed-off-by: Colin Douch <iam@colindou.ch>
There is an unpatched, high severity issue in the aforementioned JWT package: dgrijalva/jwt-go#428
Unfortunately, it looks like the author completely abandoned the package.
There is a maintained fork that fixes the issue, but we decided to switch to gopkg.in/square/go-jose.v2
A lot of users seem to prefer this package now.
I might provide a PR later, I just wanted to raise awareness that the current JWT implementation relies on a library with a security risk.
It's not a security issue with the library itself and can easily be fixed by users on their end by using a fork, so public disclosure should probably be ok. Feel free to delete the issue if you disagree @peterbourgon
The text was updated successfully, but these errors were encountered: