|
| 1 | +From 5dc62bf02f675d71ba521c6ae2a502474a0f351b Mon Sep 17 00:00:00 2001 |
| 2 | +From: Kanishk-Bansal < [email protected]> |
| 3 | +Date: Fri, 28 Mar 2025 21:58:44 +0000 |
| 4 | +Subject: [PATCH] CVE-2025-30204 |
| 5 | + |
| 6 | +Upstream Patch Reference : v4: https://github.com/golang-jwt/jwt/commit/2f0e9add62078527821828c76865661aa7718a84 |
| 7 | + |
| 8 | +--- |
| 9 | + vendor/github.com/golang-jwt/jwt/v4/parser.go | 36 +++++++++++++++++++++++--- |
| 10 | + 1 file changed, 33 insertions(+), 3 deletions(-) |
| 11 | + |
| 12 | +diff --git a/vendor/github.com/golang-jwt/jwt/v4/parser.go b/vendor/github.com/golang-jwt/jwt/v4/parser.go |
| 13 | +index c0a6f69..8e7e67c 100644 |
| 14 | +--- a/vendor/github.com/golang-jwt/jwt/v4/parser.go |
| 15 | ++++ b/vendor/github.com/golang-jwt/jwt/v4/parser.go |
| 16 | +@@ -7,6 +7,8 @@ import ( |
| 17 | + "strings" |
| 18 | + ) |
| 19 | + |
| 20 | ++const tokenDelimiter = "." |
| 21 | ++ |
| 22 | + type Parser struct { |
| 23 | + // If populated, only these methods will be considered valid. |
| 24 | + // |
| 25 | +@@ -123,9 +125,10 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf |
| 26 | + // It's only ever useful in cases where you know the signature is valid (because it has |
| 27 | + // been checked previously in the stack) and you want to extract values from it. |
| 28 | + func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Token, parts []string, err error) { |
| 29 | +- parts = strings.Split(tokenString, ".") |
| 30 | +- if len(parts) != 3 { |
| 31 | +- return nil, parts, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed) |
| 32 | ++ var ok bool |
| 33 | ++ parts, ok = splitToken(tokenString) |
| 34 | ++ if !ok { |
| 35 | ++ return nil, nil, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed) |
| 36 | + } |
| 37 | + |
| 38 | + token = &Token{Raw: tokenString} |
| 39 | +@@ -175,3 +178,30 @@ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Toke |
| 40 | + |
| 41 | + return token, parts, nil |
| 42 | + } |
| 43 | ++ |
| 44 | ++// splitToken splits a token string into three parts: header, claims, and signature. It will only |
| 45 | ++// return true if the token contains exactly two delimiters and three parts. In all other cases, it |
| 46 | ++// will return nil parts and false. |
| 47 | ++func splitToken(token string) ([]string, bool) { |
| 48 | ++ parts := make([]string, 3) |
| 49 | ++ header, remain, ok := strings.Cut(token, tokenDelimiter) |
| 50 | ++ if !ok { |
| 51 | ++ return nil, false |
| 52 | ++ } |
| 53 | ++ parts[0] = header |
| 54 | ++ claims, remain, ok := strings.Cut(remain, tokenDelimiter) |
| 55 | ++ if !ok { |
| 56 | ++ return nil, false |
| 57 | ++ } |
| 58 | ++ parts[1] = claims |
| 59 | ++ // One more cut to ensure the signature is the last part of the token and there are no more |
| 60 | ++ // delimiters. This avoids an issue where malicious input could contain additional delimiters |
| 61 | ++ // causing unecessary overhead parsing tokens. |
| 62 | ++ signature, _, unexpected := strings.Cut(remain, tokenDelimiter) |
| 63 | ++ if unexpected { |
| 64 | ++ return nil, false |
| 65 | ++ } |
| 66 | ++ parts[2] = signature |
| 67 | ++ |
| 68 | ++ return parts, true |
| 69 | ++} |
| 70 | +-- |
| 71 | +2.45.2 |
| 72 | + |
0 commit comments