New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Claims validation should not mutate incoming requiredClaims
array
#610
Comments
good catch! |
I could make a PR, though I'd have to figure out how your tests are organized so I could add one that verifies the change. |
LOL, yeah. That's why I didn't do that from the start. I figured you'd be able to do it in 1/10 of the time 🤓. |
That said, I'm curious about the |
So that the claims that are implied required from the other options come first. It could've been a side effect of the bug that I didn't spot and my test suite made me believe it's all good then. I guess I could also just unshift the array now. If you want to make a refactor PR that's okay |
Ahhh, that makes sense. Yeah I'm writing some unit tests around this and I had to do something like this because it didn't seem like a good idea to rely on order, even though this is less precise. test.each([
{ jwt: {}, options: { aud: null, iat: null, exp: null }, missing: ['aud', 'iat', 'exp', 'deployment', 'deployment_hostname' ] },
{ jwt: {}, options: { iat: null, exp: null }, missing: [ 'iat', 'exp', 'deployment', 'deployment_hostname' ] },
{ jwt: {}, options: { exp: null }, missing: [ 'exp', 'deployment', 'deployment_hostname' ] },
{ jwt: {}, options: {}, missing: [ 'deployment', 'deployment_hostname' ] },
{ jwt: { deployment: 'foo' }, options: {}, missing: [ 'deployment_hostname' ] },
])('fails when the required claims are not present ($missing)', async ({ jwt, options, missing }) => {
await request(wrapper)
.post('/')
.set('Authorization', `Bearer ${await signJwt(jwt, options)}`);
const error = expectUnauthorizedError(errors, UnauthorizedErrorReason.JWT_VERIFY_FAILED);
const joseError = expectJoseError(error.originalError, JWTClaimValidationFailed);
expect(missing).toContain(joseError.claim);
}); I guess a refactor could make it more deterministic, always validating implied first then incoming or whatever. That said, it's probably fine. |
What happened?
jose/src/lib/jwt_claims_set.ts
Lines 56 to 61 in b7b1e3a
requiredClaims
is mutated via thepush
calls and byreverse
, which happens in place. If calling code maintains a reference to this array and passes it in to multiple calls, it could grow over time.A shallow copy would probably be sufficient to avoid this, or the code could just construct the set earlier.
To be honest, I'm not 100% sure of the purpose of the
reverse
call.Version
v5.1.1
Runtime
Node.js
Runtime Details
v18.18.0
Code to reproduce
Required
The text was updated successfully, but these errors were encountered: