Fixes #216: more robust Base64 verification (do not ignore stray

sebadoom · sebadoom · commit ba880a27d6ee · 2017-12-11T13:56:14.000-03:00
characters).
diff --git a/js/app.js b/js/app.js
@@ -526,6 +526,21 @@ FaFp+DyAe+b4nDwuJaW2LURbr8AEZga7oQj0uYxcYw==\n\
   var secretElement = document.getElementsByName('secret')[0];
   var isBase64EncodedElement = document.getElementsByName('is-base64-encoded')[0];
 
+  function showInvalidSignature() {
+    var signatureElement = getFirstElementByClassName('js-signature');
+    $(signatureElement).removeClass('valid-token');
+    $(signatureElement).addClass('invalid-token');
+    signatureElement.innerHTML = '<i class="icon-budicon-501"></i> invalid signature';
+  }
+
+  function showValidSignature() {
+    var signatureElement = getFirstElementByClassName('js-signature');
+    $(signatureElement).removeClass('invalid-token');      
+    $(signatureElement).addClass('valid-token');
+    signatureElement.innerHTML = '<i class="icon-budicon-499"></i> signature verified';
+    $('.input').removeClass('error');
+  }
+
   function updateSignature () {
     var algorithm = getAlgorithm();
     var signatureElement = getFirstElementByClassName('js-signature');
@@ -538,6 +553,7 @@ FaFp+DyAe+b4nDwuJaW2LURbr8AEZga7oQj0uYxcYw==\n\
     var isBase64 = isBase64EncodedElement.checked;
     if (isBase64 && !window.isValidBase64String(secretElement.value)) {
       $(signatureContainerElement).addClass('error');
+      showInvalidSignature();
       return;
     } else {
       $(signatureContainerElement).removeClass('error');
@@ -553,14 +569,9 @@ FaFp+DyAe+b4nDwuJaW2LURbr8AEZga7oQj0uYxcYw==\n\
     var error = result.error;
     result = result.result;
     if (!error && result) {
-      $(signatureElement).removeClass('invalid-token');      
-      $(signatureElement).addClass('valid-token');
-      signatureElement.innerHTML = '<i class="icon-budicon-499"></i> signature verified';
-      $('.input').removeClass('error');
+      showValidSignature()
     } else {
-      $(signatureElement).removeClass('valid-token');
-      $(signatureElement).addClass('invalid-token');
-      signatureElement.innerHTML = '<i class="icon-budicon-501"></i> invalid signature';
+      showInvalidSignature();
     }
   }
 
diff --git a/js/jwt.js b/js/jwt.js
@@ -105,9 +105,26 @@ window.sign = function (algorithm, header, payload, key, isSecretBase64Encoded)
 
 window.isValidBase64String = function (s) {
   try {
-    s = window.b64utob64(s);
-    window.CryptoJS.enc.Base64.parse(s).toString();
-    return true;
+    var validChars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_+/=';
+    var hasPadding = false;
+    for(var i = 0; i < s.length; ++i) {
+      hasPadding |= s.charAt(i) === '=';
+      if(validChars.indexOf(s.charAt(i)) === -1) {
+        return false;
+      }
+    }
+
+    if(hasPadding) {
+      for(var i = s.indexOf('='); i < s.length; ++i) {
+        if(s.charAt(i) !== '=') {
+          return false;
+        }
+      }
+
+      return s.length % 4 === 0;
+    }
+
+    return true;    
   } catch (e) {
     return false;
   }
@@ -133,7 +150,7 @@ window.verify = function (algorithm, value, key, isSecretBase64Encoded) {
     if (isSecretBase64Encoded) {
       try {
         key = window.b64utob64(key);
-        key = window.CryptoJS.enc.Base64.parse(key).toString();
+        key = window.b64tohex(key);
       } catch (e) {
         return {result: '', error: e};
       }
