Skip to content

chore(deps): update module github.com/golang-jwt/jwt/v4 to v4.5.1 [security] (main) #35751

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 5, 2024
Merged

chore(deps): update module github.com/golang-jwt/jwt/v4 to v4.5.1 [security] (main) #35751

merged 1 commit into from
Nov 5, 2024

Conversation

cilium-renovate[bot]
Copy link
Contributor

This PR contains the following updates:

Package Type Update Change
github.com/golang-jwt/jwt/v4 indirect patch v4.5.0 -> v4.5.1

GitHub Vulnerability Alerts

CVE-2024-51744

Summary

Unclear documentation of the error behavior in ParseWithClaims can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by ParseWithClaims return both error codes. If users only check for the jwt.ErrTokenExpired using error.Is, they will ignore the embedded jwt.ErrTokenSignatureInvalid and thus potentially accept invalid tokens.

Fix

We have back-ported the error handling logic from the v5 branch to the v4 branch. In this logic, the ParseWithClaims function will immediately return in "dangerous" situations (e.g., an invalid signature), limiting the combined errors only to situations where the signature is valid, but further validation failed (e.g., if the signature is valid, but is expired AND has the wrong audience). This fix is part of the 4.5.1 release.

Workaround

We are aware that this changes the behaviour of an established function and is not 100 % backwards compatible, so updating to 4.5.1 might break your code. In case you cannot update to 4.5.0, please make sure that you are properly checking for all errors ("dangerous" ones first), so that you are not running in the case detailed above.

token, err := /* jwt.Parse or similar */
if token.Valid {
	fmt.Println("You look nice today")
} else if errors.Is(err, jwt.ErrTokenMalformed) {
	fmt.Println("That's not even a token")
} else if errors.Is(err, jwt.ErrTokenUnverifiable) {
	fmt.Println("We could not verify this token")
} else if errors.Is(err, jwt.ErrTokenSignatureInvalid) {
	fmt.Println("This token has an invalid signature")
} else if errors.Is(err, jwt.ErrTokenExpired) || errors.Is(err, jwt.ErrTokenNotValidYet) {
	// Token is either expired or not active yet
	fmt.Println("Timing is everything")
} else {
	fmt.Println("Couldn't handle this token:", err)
}

Release Notes

golang-jwt/jwt (github.com/golang-jwt/jwt/v4)

v4.5.1

Compare Source

Security

Unclear documentation of the error behavior in ParseWithClaims in <= 4.5.0 could lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by ParseWithClaims return both error codes. If users only check for the jwt.ErrTokenExpired using error.Is, they will ignore the embedded jwt.ErrTokenSignatureInvalid and thus potentially accept invalid tokens.

This issue was documented in GHSA-29wx-vh33-7x7r and fixed in this release.

Note: v5 was not affected by this issue. So upgrading to this release version is also recommended.

What's Changed

  • Back-ported error-handling logic in ParseWithClaims from v5 branch. This fixes GHSA-29wx-vh33-7x7r.

Full Changelog: golang-jwt/jwt@v4.5.0...v4.5.1

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@cilium-renovate
chore(deps): update module github.com/golang-jwt/jwt/v4 to v4.5.1 [se…
a0bdf3c 
…curity]

Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com>
@cilium-renovate cilium-renovate bot requested a review from a team as a code owner November 5, 2024 00:08
@cilium-renovate cilium-renovate bot added kind/enhancement This would improve or streamline existing functionality. release-note/misc This PR makes changes that have no direct user impact. renovate/stop-updating Tell Renovate to stop updating PR labels Nov 5, 2024
@cilium-renovate cilium-renovate bot requested a review from ovidiutirla November 5, 2024 00:08
@github-actions github-actions bot added the kind/community-contribution This was a contribution made by a community member. label Nov 5, 2024
ovidiutirla
ovidiutirla approved these changes Nov 5, 2024
View reviewed changes
Copy link
Contributor

@ovidiutirla ovidiutirla left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Nov 5, 2024
@julianwiedmann julianwiedmann added this pull request to the merge queue Nov 5, 2024
Merged via the queue into main with commit badfc77 Nov 5, 2024
301 of 307 checks passed
@cilium-renovate cilium-renovate bot deleted the renovate/main-go-github.com-golang-jwt-jwt-v4-vulnerability branch November 5, 2024 09:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ovidiutirla ovidiutirla ovidiutirla approved these changes

Assignees
No one assigned
Labels
kind/community-contribution This was a contribution made by a community member. kind/enhancement This would improve or streamline existing functionality. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/misc This PR makes changes that have no direct user impact. renovate/stop-updating Tell Renovate to stop updating PR
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ovidiutirla @julianwiedmann