Removed assert since it's a security issue.

Author: rohe

src/cryptojwt/jwe.py

@@ -383,18 +383,14 @@ def is_jwe(self):
         if "typ" in self.headers and self.headers["typ"].lower() == "jwe":
             return True
 
-        try:
-            assert "alg" in self.headers and "enc" in self.headers
-        except AssertionError:
-            return False
-        else:
+        if "alg" in self.headers and "enc" in self.headers:
             for typ in ["alg", "enc"]:
-                try:
-                    assert self.headers[typ] in SUPPORTED[typ]
-                except AssertionError:
+                if self.headers[typ] not in SUPPORTED[typ]:
                     logger.debug("Not supported %s algorithm: %s" % (
                         typ, self.headers[typ]))
                     return False
+        else:
+            return False
         return True
 
     def __len__(self):
@@ -659,9 +655,7 @@ def decrypt(self, token, key, cek=None):
 
         self["cek"] = cek
         enc = jwe.headers["enc"]
-        try:
-            assert enc in SUPPORTED["enc"]
-        except AssertionError:
+        if enc not in SUPPORTED["enc"]:
             raise NotSupportedAlgorithm(enc)
 
         msg = self._decrypt(enc, cek, jwe.ciphertext(),
@@ -946,7 +940,6 @@ def encrypt(self, keys=None, cek="", iv="", **kwargs):
         :return: Encrypted message
         """
 
-        # encrypted_key = cek = iv = None
         _alg = self["alg"]
 
         # Find Usable Keys

src/cryptojwt/jwk.py

@@ -395,25 +395,22 @@ def verify(self):
                     return False
 
         if self.kid:
-            try:
-                assert isinstance(self.kid, six.string_types)
-            except AssertionError:
+            if not isinstance(self.kid, six.string_types):
                 raise HeaderError("kid of wrong value type")
         return True
 
     def __eq__(self, other):
-        try:
-            if self.__class__ != other.__class__:
-                return False
-
-            assert set(self.__dict__.keys()) == set(other.__dict__.keys())
+        if self.__class__ != other.__class__:
+            return False
 
-            for key in self.public_members:
-                assert getattr(other, key) == getattr(self, key)
-        except AssertionError:
+        if set(self.__dict__.keys()) != set(other.__dict__.keys()):
             return False
-        else:
-            return True
+
+        for key in self.public_members:
+            if getattr(other, key) != getattr(self, key):
+                return False
+
+        return True
 
     def keys(self):
         return list(self.to_dict().keys())

src/cryptojwt/jws.py

@@ -361,9 +361,7 @@ def headers(self, extra=None):
             _header["jwk"] = extra["jwk"].serialize()
 
         if "kid" in self:
-            try:
-                assert isinstance(self["kid"], six.string_types)
-            except AssertionError:
+            if not isinstance(self["kid"], six.string_types):
                 raise HeaderError("kid of wrong value type")
 
         return _header
@@ -430,11 +428,7 @@ def pick_keys(self, keys, use="", alg=""):
                 "Picked: kid:{}, use:{}, kty:{}".format(
                     _key.kid, _key.use, _key.kty))
             if _kid:
-                try:
-                    assert _kid == _key.kid
-                except (KeyError, AttributeError):
-                    pass
-                except AssertionError:
+                if _kid != _key.kid:
                     continue
 
             if use and _key.use and _key.use != use:
@@ -699,7 +693,8 @@ def verify_json(self, jws, keys=None, allow_none=False, sigalg=None):
             if _claim is None:
                 _claim = _tmp
             else:
-                assert _claim == _tmp
+                if _claim != _tmp:
+                    raise ValueError()
 
         return _claim
 
@@ -737,22 +732,18 @@ def _is_compact_jws(self, jws):
         except Exception:
             return False
 
-        try:
-            assert "alg" in jwt.headers
-        except AssertionError:
+        if "alg" not in jwt.headers:
             return False
-        else:
-            if jwt.headers["alg"] is None:
-                jwt.headers["alg"] = "none"
 
-            try:
-                assert jwt.headers["alg"] in SIGNER_ALGS
-            except AssertionError:
-                logger.debug("UnknownSignerAlg: %s" % jwt.headers["alg"])
-                return False
-            else:
-                self.jwt = jwt
-                return True
+        if jwt.headers["alg"] is None:
+            jwt.headers["alg"] = "none"
+
+        if jwt.headers["alg"] not in SIGNER_ALGS:
+            logger.debug("UnknownSignerAlg: %s" % jwt.headers["alg"])
+            return False
+
+        self.jwt = jwt
+        return True
 
 
 def factory(token):