Now JWT_LOADER takes the alg as argument, to avoid security issue where the lib is taking alg from the header (which may be a bad security weakness).

2017-07-11 23:32:11 +02:00
parent 27ee20f99b
commit 2748e1d9ee
4 changed files with 105 additions and 22 deletions
--- a/library/security/jwt/src/jwt_loader.e
+++ b/library/security/jwt/src/jwt_loader.e
@@ -1,8 +1,8 @@
 note
-	description: "Summary description for {JWT_LOADER}."
-	author: ""
+	description: "Loader and verifier to JWT token."
 	date: "$Date$"
 	revision: "$Revision$"
+	EIS: "name=Known Critical vulnerabilities in JWT libs", "protocol=URI", "src=https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/"

 class
 	JWT_LOADER
@@ -12,9 +12,13 @@ inherit

 feature -- Access

-	token (a_token_input: READABLE_STRING_8; a_secret: READABLE_STRING_8; ctx: detachable JWT_CONTEXT): detachable JWT
-			-- Decoded token from `a_token_input` given the secret `a_secret`, and optional context `ctx`
+	token (a_token_input: READABLE_STRING_8; a_alg: detachable READABLE_STRING_8; a_verification_key: READABLE_STRING_8; ctx: detachable JWT_CONTEXT): detachable JWT
+			-- Decoded token from `a_token_input` given the verification key `a_verification_key` and optional (but recommended) signature algorithm `a_alg`, and optional context `ctx`
 			-- used to specify eventual issuer and various parameters.
+			-- WARNING: passing Void for `a_alg` is not safe, as the server should know which alg he used for tokens,
+			-- 			leaving the possibility to use the header alg is dangerous as client may use "none" and then bypass verification!
+		require
+			a_valid_alg: a_alg /= Void implies is_supporting_signature_algorithm (a_alg)
 		local
 			jws: JWS
 			i,j,n: INTEGER
@@ -29,20 +33,27 @@ feature -- Access
 					l_enc_payload := a_token_input.substring (i + 1, j - 1)
 					l_signature := a_token_input.substring (j + 1, n)
 					create jws.make_with_json_payload (base64url_decode (l_enc_payload))
-
 					alg := signature_algorithm_from_encoded_header (l_enc_header)
-					jws.set_algorithm (alg)
-					if alg = Void then
-							-- Use default
-						alg := alg_hs256
+					if a_alg /= Void then
+						if alg /= Void and then not alg.is_case_insensitive_equal_general (a_alg) then
+							jws.report_mismatched_alg_error (a_alg, alg)
+						else
+							alg := a_alg
+						end
+					else
+						if alg = Void then
+								-- Use default
+							alg := alg_hs256
+						end
 					end
+					jws.set_algorithm (alg)
 					check alg_set: alg /= Void end
 					if ctx = Void or else not ctx.validation_ignored then
 						if not is_supporting_signature_algorithm (alg) then
 							jws.report_unsupported_alg_error (alg)
 							alg := alg_hs256
 						end
-						if not l_signature.same_string (signature (l_enc_header, l_enc_payload, a_secret, alg)) then
+						if not l_signature.same_string (signature (l_enc_header, l_enc_payload, a_verification_key, alg)) then
 							jws.report_unverified_token_error
 						end
 						if