-
Notifications
You must be signed in to change notification settings - Fork 942
Commit 6e33088
authored
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?v=4&size=40){kind=avatar}
fix(deps): update jjwt to v0.12.4 (#1220)
[](https://renovatebot.com)
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [io.jsonwebtoken:jjwt-jackson](https://togithub.com/jwtk/jjwt) |
`0.12.3` -> `0.12.4` |
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
| [io.jsonwebtoken:jjwt-impl](https://togithub.com/jwtk/jjwt) | `0.12.3`
-> `0.12.4` |
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
| [io.jsonwebtoken:jjwt-api](https://togithub.com/jwtk/jjwt) | `0.12.3`
-> `0.12.4` |
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
---
### Release Notes
<details>
<summary>jwtk/jjwt (io.jsonwebtoken:jjwt-jackson)</summary>
###
[`v0.12.4`](https://togithub.com/jwtk/jjwt/blob/HEAD/CHANGELOG.md#0124)
[Compare Source](https://togithub.com/jwtk/jjwt/compare/0.12.3...0.12.4)
This patch release includes various changes listed below.
##### Jackson Default Parsing Behavior
This release makes two behavioral changes to JJWT's default Jackson
`ObjectMapper` parsing settings:
1. In the interest of having stronger standards to reject potentially
malformed/malicious/accidental JSON that could
have undesirable effects on an application, JJWT's default `
ObjectMapper `is now configured to explicitly reject/fail
parsing JSON (JWT headers and/or Claims) if/when that JSON contains
duplicate JSON member names.
For example, now the following JSON, if parsed, would fail (be rejected)
by default:
```json
{
"hello": "world",
"thisWillFail": 42,
"thisWillFail": "test"
}
```
Technically, the JWT RFCs *do allow* duplicate named fields as long as
the last parsed member is the one used
(see [JWS RFC 7515, Section
4](https://datatracker.ietf.org/doc/html/rfc7515#section-4)), so this is
allowed.
However, because JWTs often reflect security concepts, it's usually
better to be defensive and reject these
unexpected scenarios by default. The RFC later supports this
position/preference in
[Section
10.12](https://datatracker.ietf.org/doc/html/rfc7515#section-10.12):
Ambiguous and potentially exploitable situations
could arise if the JSON parser used does not enforce the uniqueness
of member names or returns an unpredictable value for duplicate
member names.
Finally, this is just a default, and the RFC does indeed allow duplicate
member names if the last value is used,
so applications that require duplicates to be allowed can simply
configure their own `ObjectMapper` and use
that with JJWT instead of assuming this (new) JJWT default. See
[Issue #​877](https://togithub.com/jwtk/jjwt/issues/877) for more.
2. If using JJWT's support to use Jackson to parse
[Custom Claim
Types](https://togithub.com/jwtk/jjwt#json-jackson-custom-types) (for
example, a Claim that should be
unmarshalled into a POJO), and the JSON for that POJO contained a member
that is not represented in the specified
class, Jackson would fail parsing by default. Because POJOs and JSON
data models can sometimes be out of sync
due to different class versions, the default behavior has been changed
to ignore these unknown JSON members instead
of failing (i.e. the `ObjectMapper`'s
`DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES` is now set to
`false`)
by default.
Again, if you prefer the stricter behavior of rejecting JSON with extra
or unknown properties, you can configure
`true` on your own `ObjectMapper` instance and use that instance with
the `Jwts.parser()` builder.
##### Additional Changes
This release also:
- Fixes a thread-safety issue when using `java.util.ServiceLoader` to
dynamically lookup/instantiate pluggable
implementations of JJWT interfaces (e.g. JSON parsers, etc). See
[Issue #​873](https://togithub.com/jwtk/jjwt/issues/873) and its
documented fix in
[PR #​893](https://togithub.com/jwtk/jjwt/pull/892).
- Ensures Android environments and older `org.json` library usages can
parse JSON from a `JwtBuilder`-provided
`java.io.Reader` instance. [Issue
882](https://togithub.com/jwtk/jjwt/issues/882).
- Ensures a single string `aud` (Audience) claim is retained (without
converting it to a `Set`) when copying/applying a
source Claims instance to a destination Claims builder. [Issue
890](https://togithub.com/jwtk/jjwt/issues/890).
- Ensures P-256, P-384 and P-521 Elliptic Curve JWKs zero-pad their
field element (`x`, `y`, and `d`) byte array values
if necessary before Base64Url-encoding per [RFC
7518](https://datatracker.ietf.org/doc/html/rfc7518), Sections
[6.2.1.2](https://datatracker.ietf.org/doc/html/rfc7518#section-6.2.1.2),
[6.2.1.3](https://datatracker.ietf.org/doc/html/rfc7518#section-6.2.1.3),
and
[6.2.2.1](https://datatracker.ietf.org/doc/html/rfc7518#section-6.2.2.1),
respectively.
[Issue 901](https://togithub.com/jwtk/jjwt/issues/901).
- Ensures that Secret JWKs for HMAC-SHA algorithms with `k` sizes larger
than the algorithm minimum can
be parsed/used as expected. See [Issue
#​905](https://togithub.com/jwtk/jjwt/issues/905)
- Ensures there is an upper bound (maximum) iterations enforced for
PBES2 decryption to help mitigate potential DoS
attacks. Many thanks to Jingcheng Yang and Jianjun Chen from Sichuan
University and Zhongguancun Lab for their
work on this. See [PR 911](https://togithub.com/jwtk/jjwt/pull/911).
- Fixes various typos in documentation and JavaDoc. Thanks to those
contributing pull requests for these!
</details>
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about these
updates again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/line/line-bot-sdk-java).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNTMuMiIsInVwZGF0ZWRJblZlciI6IjM3LjE1My4yIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIn0=-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>](https://renovatebot.com){kind=link}
1 parent 6907cb8 commit 6e33088Copy full SHA for 6e33088
File tree
Expand file treeCollapse file tree
1 file changed
+1
-1
lines changedOpen diff view settings
Filter options
- gradle
Expand file treeCollapse file tree
1 file changed
+1
-1
lines changedOpen diff view settings
Collapse file
gradle/libraries.versions.toml
Copy file name to clipboardExpand all lines: gradle/libraries.versions.toml+1-1Lines changed: 1 addition & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | 1 | | |
2 | 2 | | |
3 | | - | |
| 3 | + | |
4 | 4 | | |
5 | 5 | | |
6 | 6 | | |
| |||
0 commit comments