[issue 675] oauth2 use golang-jwt address CVE-2020-26160 #713
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
wolfstudy
reviewed
Jan 19, 2022
| @@ -6,7 +6,7 @@ jobs: | |||
| runs-on: ubuntu-latest | |||
| strategy: | |||
| matrix: | |||
| go-version: [1.13, 1.14, 1.15, 1.16, 1.17] | |||
| go-version: [1.15, 1.16, 1.17] | |||
There was a problem hiding this comment.
The newly fixed jwt-go does not support versions prior to go 1.5?
There was a problem hiding this comment.
No. They do not support. Here are two issues explaining why. I posed in the original motivation too.
golang-jwt/jwt#50
golang-jwt/jwt#90
|
cc @zymap please check |
wolfstudy
approved these changes
Jan 19, 2022
lhotari
approved these changes
Jan 19, 2022
1 task
|
@wolfstudy what is the schedule for 0.8.0 release? https://github.com/apache/pulsar/blob/master/pulsar-function-go/go.sum and https://github.com/apache/pulsar/blob/master/pulsar-function-go/examples/go.sum get hi-lighted as vulnerable for CVE-2020-26160 and it would be good to have these issues resolved asap. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #675 #675
Motivation
The original CVE
CVE-2020-26160
high severity
Vulnerable versions: <= 3.2.0
Patched version: No fix
jwt-go allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check. There is no patch available and users of jwt-go are advised to migrate to golang-jwt at version 3.2.1
Modifications
oauth2go mod uses github.com/form3tech-oss/jwt-go, which is a fork from dgrijalva/jwt-go that is in read-only. The modification is switch to golang-jwt.Golang 1.15 minimum version support
Set the minimum golang version to 1.15. It is because the recommended golang-jwt library requires golang 1.15+. It's explained in these two issues from the golang-jwt repo.
golang-jwt/jwt#50
golang-jwt/jwt#90
Does this pull request potentially affect one of the following parts:
If
yeswas chosen, please highlight the changesSwitch to golang-jwt as the CVE suggests.
Documentation