Merge pull request #1753 from chriswhite199/jsonwebtoken-vuln

2024-11-24 15:00:17 +01:00 · 2024-03-29 00:56:17 +00:00 · 2024-03-29 00:56:17 +00:00 · 6edf731d46
commit 6edf731d46
parent 6fd00e2598 ef5ff5bec6
3 changed files with 40 additions and 13 deletions
--- a/package-lock.json
+++ b/package-lock.json
@ -52,7 +52,7 @@
        "jsesc": "^3.0.2",
        "json5": "^2.2.3",
        "jsonpath-plus": "^8.0.0",
-        "jsonwebtoken": "8.5.1",
+        "jsonwebtoken": "^9.0.0",
        "jsqr": "^1.4.0",
        "jsrsasign": "^11.1.0",
        "kbpgp": "2.1.15",
@ -9703,9 +9703,9 @@
      }
    },
    "node_modules/jsonwebtoken": {
-      "version": "8.5.1",
+      "version": "9.0.2",
-      "resolved": "https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.5.1.tgz",
+      "resolved": "https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-9.0.2.tgz",
-      "integrity": "sha512-XjwVfRS6jTMsqYs0EsuJ4LGxXV14zQybNd4L2r0UvbVnSF9Af8x7p5MzbJ90Ioz/9TI41/hTCvznF/loiSzn8w==",
+      "integrity": "sha512-PRp66vJ865SSqOlgqS8hujT5U4AOgMfhrwYIuIhfKaoSCZcirrmASQr8CX7cUg+RMih+hgznrjp99o+W4pJLHQ==",
      "dependencies": {
        "jws": "^3.2.2",
        "lodash.includes": "^4.3.0",
@ -9716,21 +9716,43 @@
        "lodash.isstring": "^4.0.1",
        "lodash.once": "^4.0.0",
        "ms": "^2.1.1",
-        "semver": "^5.6.0"
+        "semver": "^7.5.4"
      },
      "engines": {
-        "node": ">=4",
+        "node": ">=12",
-        "npm": ">=1.4.28"
+        "npm": ">=6"
      }
    },
    "node_modules/jsonwebtoken/node_modules/lru-cache": {
      "version": "6.0.0",
      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-6.0.0.tgz",
      "integrity": "sha512-Jo6dJ04CmSjuznwJSS3pUeWmd/H0ffTlkXXgwZi+eq1UCmqQwCh+eLsYOYCwY991i2Fah4h1BEMCx4qThGbsiA==",
      "dependencies": {
        "yallist": "^4.0.0"
      },
      "engines": {
        "node": ">=10"
      }
    },
    "node_modules/jsonwebtoken/node_modules/semver": {
-      "version": "5.7.1",
+      "version": "7.6.0",
-      "resolved": "https://registry.npmjs.org/semver/-/semver-5.7.1.tgz",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-7.6.0.tgz",
-      "integrity": "sha512-sauaDf/PZdVgrLTNYHRtpXa1iRiKcaebiKQ1BJdpQlWH2lCvexQdX55snPFyK7QzpudqbCI0qXFfOasHdyNDGQ==",
+      "integrity": "sha512-EnwXhrlwXMk9gKu5/flx5sv/an57AkRplG3hTK68W7FRDN+k+OWBj65M7719OkA82XLBxrcX0KSHj+X5COhOVg==",
      "dependencies": {
        "lru-cache": "^6.0.0"
      },
      "bin": {
-        "semver": "bin/semver"
+        "semver": "bin/semver.js"
      },
      "engines": {
        "node": ">=10"
      }
    },
    "node_modules/jsonwebtoken/node_modules/yallist": {
      "version": "4.0.0",
      "resolved": "https://registry.npmjs.org/yallist/-/yallist-4.0.0.tgz",
      "integrity": "sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A=="
    },
    "node_modules/jsqr": {
      "version": "1.4.0",
      "license": "Apache-2.0"
--- a/package.json
+++ b/package.json
@ -134,7 +134,7 @@
    "jsesc": "^3.0.2",
    "json5": "^2.2.3",
    "jsonpath-plus": "^8.0.0",
-    "jsonwebtoken": "8.5.1",
+    "jsonwebtoken": "^9.0.0",
    "jsqr": "^1.4.0",
    "jsrsasign": "^11.1.0",
    "kbpgp": "2.1.15",
--- a/src/core/operations/JWTSign.mjs
+++ b/src/core/operations/JWTSign.mjs
@ -50,7 +50,12 @@ class JWTSign extends Operation {
        try {
            return jwt.sign(input, key, {
-                algorithm: algorithm === "None" ? "none" : algorithm
+                algorithm: algorithm === "None" ? "none" : algorithm,
                // To utilize jsonwebtoken 9+ library and maintain backwards compatibility for regression tests
                // This could be turned into operation args in a future PR
                allowInsecureKeySizes: true,
                allowInvalidAsymmetricKeyTypes: true
            });
        } catch (err) {
            throw new OperationError(`Error: Have you entered the key correctly? The key should be either the secret for HMAC algorithms or the PEM-encoded private key for RSA and ECDSA.