Example code is memory insecure #60

lggomez · 2021-08-03T12:13:02Z

Comments
@gardc
gardc commented on Nov 21, 2020 •

Referring to this example (https://godoc.org/github.com/dgrijalva/jwt-go#example-Parse--Hmac) pointed to by the readme, feeding it an invalid JWT will create a memory panic.

Go playground example. (https://play.golang.org/p/wyOgm21FYE8)

Checking for err and token.Valid before assuming it's all good in the hood fixes the issue, Go playground example. (https://play.golang.org/p/0sX-54gXfE2)

lggomez · 2021-08-03T12:13:16Z

@johnbalvin
johnbalvin commented on Nov 26, 2020

just check the error https://play.golang.org/p/LG0AFYMhGQm

lggomez · 2021-08-03T12:13:36Z

FWIW, here's the repro using this package: https://play.golang.org/p/ym1qpfvFdZS

lggomez · 2021-08-03T12:25:04Z

Related issue: dgrijalva/jwt-go#379

jackaitken · 2023-04-28T23:31:28Z

Could I raise a PR to fix this example?

oxisto · 2023-04-29T14:34:06Z

Could I raise a PR to fix this example?

Sure go ahead, although I am not sure if we already fixed this over time now

lggomez added documentation Improvements or additions to documentation jwt-go: legacy labels Aug 3, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Example code is memory insecure #60

Example code is memory insecure #60

lggomez commented Aug 3, 2021

lggomez commented Aug 3, 2021

lggomez commented Aug 3, 2021

lggomez commented Aug 3, 2021

jackaitken commented Apr 28, 2023 •

edited

oxisto commented Apr 29, 2023

Example code is memory insecure #60

Example code is memory insecure #60

Comments

lggomez commented Aug 3, 2021

lggomez commented Aug 3, 2021

lggomez commented Aug 3, 2021

lggomez commented Aug 3, 2021

jackaitken commented Apr 28, 2023 • edited

oxisto commented Apr 29, 2023

jackaitken commented Apr 28, 2023 •

edited