[AUTO-CHERRYPICK] Patch application-gateway-kubernetes-ingress for CVE-2025-30204 [High] - branch 3.0-dev (#13230)

CBL-Mariner-Bot · Kanishk-Bansal · web-flow · commit 52b3ad9dc4fc · 2025-03-31T15:05:10.000-04:00
Co-authored-by: Kanishk Bansal &lt;103916909+Kanishk-Bansal@users.noreply.github.com&gt;
diff --git a/SPECS/application-gateway-kubernetes-ingress/CVE-2025-30204.patch b/SPECS/application-gateway-kubernetes-ingress/CVE-2025-30204.patch
@@ -0,0 +1,134 @@
+From 84c7f3d0b9dccb4a20d0ad4de10896d40344ba26 Mon Sep 17 00:00:00 2001
+From: Kanishk-Bansal <kbkanishk975@gmail.com>
+Date: Fri, 28 Mar 2025 20:43:26 +0000
+Subject: [PATCH] CVE-2025-30204
+Upstream Patch Reference  : 
+v4 : https://github.com/golang-jwt/jwt/commit/2f0e9add62078527821828c76865661aa7718a84
+v5 : https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3
+---
+ github.com/golang-jwt/jwt/v4/parser.go | 36 +++++++++++++++++++++++---
+ github.com/golang-jwt/jwt/v5/parser.go | 36 +++++++++++++++++++++++---
+ 2 files changed, 66 insertions(+), 6 deletions(-)
+
+diff --git a/vendor/github.com/golang-jwt/jwt/v4/parser.go b/vendor/github.com/golang-jwt/jwt/v4/parser.go
+index c0a6f69..8e7e67c 100644
+--- a/vendor/github.com/golang-jwt/jwt/v4/parser.go
++++ b/vendor/github.com/golang-jwt/jwt/v4/parser.go
+@@ -7,6 +7,8 @@ import (
+ 	"strings"
+ )
+ 
++const tokenDelimiter = "."
++
+ type Parser struct {
+ 	// If populated, only these methods will be considered valid.
+ 	//
+@@ -123,9 +125,10 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf
+ // It's only ever useful in cases where you know the signature is valid (because it has
+ // been checked previously in the stack) and you want to extract values from it.
+ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Token, parts []string, err error) {
+-	parts = strings.Split(tokenString, ".")
+-	if len(parts) != 3 {
+-		return nil, parts, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed)
++	var ok bool
++	parts, ok = splitToken(tokenString)
++	if !ok {
++		return nil, nil, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed)
+ 	}
+ 
+ 	token = &Token{Raw: tokenString}
+@@ -175,3 +178,30 @@ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Toke
+ 
+ 	return token, parts, nil
+ }
++
++// splitToken splits a token string into three parts: header, claims, and signature. It will only
++// return true if the token contains exactly two delimiters and three parts. In all other cases, it
++// will return nil parts and false.
++func splitToken(token string) ([]string, bool) {
++	parts := make([]string, 3)
++	header, remain, ok := strings.Cut(token, tokenDelimiter)
++	if !ok {
++		return nil, false
++	}
++	parts[0] = header
++	claims, remain, ok := strings.Cut(remain, tokenDelimiter)
++	if !ok {
++		return nil, false
++	}
++	parts[1] = claims
++	// One more cut to ensure the signature is the last part of the token and there are no more
++	// delimiters. This avoids an issue where malicious input could contain additional delimiters
++	// causing unecessary overhead parsing tokens.
++	signature, _, unexpected := strings.Cut(remain, tokenDelimiter)
++	if unexpected {
++		return nil, false
++	}
++	parts[2] = signature
++
++	return parts, true
++}
+diff --git a/vendor/github.com/golang-jwt/jwt/v5/parser.go b/vendor/github.com/golang-jwt/jwt/v5/parser.go
+index ecf99af..054c7eb 100644
+--- a/vendor/github.com/golang-jwt/jwt/v5/parser.go
++++ b/vendor/github.com/golang-jwt/jwt/v5/parser.go
+@@ -8,6 +8,8 @@ import (
+ 	"strings"
+ )
+ 
++const tokenDelimiter = "."
++
+ type Parser struct {
+ 	// If populated, only these methods will be considered valid.
+ 	validMethods []string
+@@ -136,9 +138,10 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf
+ // It's only ever useful in cases where you know the signature is valid (since it has already
+ // been or will be checked elsewhere in the stack) and you want to extract values from it.
+ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Token, parts []string, err error) {
+-	parts = strings.Split(tokenString, ".")
+-	if len(parts) != 3 {
+-		return nil, parts, newError("token contains an invalid number of segments", ErrTokenMalformed)
++	var ok bool
++	parts, ok = splitToken(tokenString)
++	if !ok {
++		return nil, nil, newError("token contains an invalid number of segments", ErrTokenMalformed)
+ 	}
+ 
+ 	token = &Token{Raw: tokenString}
+@@ -196,6 +199,33 @@ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Toke
+ 	return token, parts, nil
+ }
+ 
++// splitToken splits a token string into three parts: header, claims, and signature. It will only
++// return true if the token contains exactly two delimiters and three parts. In all other cases, it
++// will return nil parts and false.
++func splitToken(token string) ([]string, bool) {
++	parts := make([]string, 3)
++	header, remain, ok := strings.Cut(token, tokenDelimiter)
++	if !ok {
++		return nil, false
++	}
++	parts[0] = header
++	claims, remain, ok := strings.Cut(remain, tokenDelimiter)
++	if !ok {
++		return nil, false
++	}
++	parts[1] = claims
++	// One more cut to ensure the signature is the last part of the token and there are no more
++	// delimiters. This avoids an issue where malicious input could contain additional delimiters
++	// causing unecessary overhead parsing tokens.
++	signature, _, unexpected := strings.Cut(remain, tokenDelimiter)
++	if unexpected {
++		return nil, false
++	}
++	parts[2] = signature
++
++	return parts, true
++}
++
+ // DecodeSegment decodes a JWT specific base64url encoding. This function will
+ // take into account whether the [Parser] is configured with additional options,
+ // such as [WithStrictDecoding] or [WithPaddingAllowed].
+-- 
+2.45.2
+
diff --git a/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.spec b/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.spec
@@ -2,7 +2,7 @@
 Summary:        Application Gateway Ingress Controller
 Name:           application-gateway-kubernetes-ingress
 Version:        1.7.7
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -13,6 +13,7 @@ Source0:        https://github.com/Azure/application-gateway-kubernetes-ingress/
 # NOTE: govendor-v1 format is for inplace CVE updates so that we do not have to overwrite in the blob-store.
 # After fixing any possible CVE for the vendored source, we must bump v1 -> v2
 Source1:        %{name}-%{version}-govendor-v1.tar.gz
+Patch0:         CVE-2025-30204.patch
 
 BuildRequires:  golang >= 1.23
 
@@ -25,6 +26,7 @@ to act as the ingress for an AKS cluster.
 
 rm -rf vendor
 tar -xf %{SOURCE1} --no-same-owner
+%autopatch -p1
 
 %build
 export VERSION=%{version}
@@ -43,6 +45,9 @@ cp appgw-ingress %{buildroot}%{_bindir}/
 %{_bindir}/appgw-ingress
 
 %changelog
+* Sat Mar 29 2025 Kanishk Bansal <kanbansal@microsoft.com> - 1.7.7-2
+- Patch CVE-2025-30204
+
 * Tue Feb 04 2025 Gary Swalling <gaswal@microsoft.com> - 1.7.7-1
 - Upgrade to v1.7.7 with golang.org/x/net v0.33.0 for CVE-2023-39325, CVE-2023-44487,
 - CVE-2023-45288, CVE-2024-51744, CVE-2024-35255, CVE-2023-3978
