Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Certain non-JWT but decodable strings cause "TypeError: no implicit conversion of String into Integer" on decode #470

Open
dmcinnes opened this issue Feb 11, 2022 · 1 comment
Open

Certain non-JWT but decodable strings cause "TypeError: no implicit conversion of String into Integer" on decode #470

dmcinnes opened this issue Feb 11, 2022 · 1 comment

Comments

@dmcinnes
Copy link

dmcinnes commented Feb 11, 2022
edited

This is a bit of an edge case, but it's caused some confusion for us.

If a string is given with segments that can be Base64.urlsafe_decode64 but doesn't match up to the expectation of a JWT, a TypeError: no implicit conversion of String into Integer is raised instead of a JWT::DecodeError.

An example string is Mw.x.x -- the first segment is decoded as the number 3 for the header which later causes this line to raise the TypeError: no implicit conversion of String into Integer:

ruby-jwt/lib/jwt/decode.rb

Line 37 in 1fd5b7a

raise(JWT::IncorrectAlgorithm, 'Token is missing alg header') unless header['alg']

@anakinj
Copy link
Member

anakinj commented Feb 23, 2022

I think we could be a little stricter on the type validation for the header.

Im guessing there is something in the JWT RFC saying the headers needs to be an object with a certain set of attributes.

Adding raise(JWT::IncorrectAlgorithm, 'Invalid header') unless header.is_a?(Hash) somewhere maybe

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dmcinnes @anakinj