json-jwt 1.15.3 → 1.16.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0bc8f7f5b23b61360c4b6a72c253b52beb5f7226ebf441d6a6561729155ea55d
-  data.tar.gz: 7175e7ea9121d74d633bb32ce6f88e2d50ddbc3b0109426c562508e40a119727
+  metadata.gz: e15d6297f3fe38127afb9686fcf44f6718b203b15988019897901dc62ebed1ca
+  data.tar.gz: 4fa5a17b443fb0811dc1634db20b39471aca3a7475aa4181cfe2c5c2790d7f47
 SHA512:
-  metadata.gz: f169ddb8eafd2b66e84c8fd32328793e040477a376ab7dfedef29990d330afa667f5f563bc540a0479b095cc2c16cb38b6bb7a7a6c9842656ea41425e63c87b7
-  data.tar.gz: 53e010725185c4acab07988025b1dd70d7def52f27c285ed502a21f1d8e8ad1eedca780db14378824ff7891fbd852265b06a2256281c5a07d40545487ad9241c
+  metadata.gz: 7869a764a0700e9d016e9b3ad30952e5e34a4a2bd1b5b58b3b48887b2d7edc2836f3ec0c7ce72f3246ebda7f00cb18409e33a79953777583f347837a5445d994
+  data.tar.gz: 033e08b8548ad17468e07ea1f21bb115552a3d54163796a252d26b3e728382dc8d7a8f906555967eedb939b683880dec4603decadae7a80800cf0cc8dc082fbf

data/.github/workflows/{test_ruby.yml → spec.yml}

@@ -1,22 +1,23 @@
-name: Test Ruby
+name: Spec
 
 on:
   push:
+    branches:
+      - master
   pull_request:
 
 permissions:
   contents: read
 
 jobs:
-  test:
+  spec:
     strategy:
       matrix:
-        os: ['ubuntu-20.04']
-        ruby-version: ['2.6', '2.7', '3.0', '3.1']
-        # ubuntu 22.04 only supports ssl 3 and thus only ruby 3.1
+        os: ['ubuntu-20.04', 'ubuntu-22.04']
+        ruby-version: ['3.1', '3.2']
         include:
-        - os: 'ubuntu-22.04'
-          ruby-version: '3.1'
+        - os: 'ubuntu-20.04'
+          ruby-version: '3.0'
     runs-on: ${{ matrix.os }}
 
     steps:
@@ -26,5 +27,5 @@ jobs:
       with:
         ruby-version: ${{ matrix.ruby-version }}
         bundler-cache: true
-    - name: Run tests
-      run: bundle exec rake
+    - name: Run Specs
+      run: bundle exec rake spec

data/CHANGELOG.md

@@ -0,0 +1,17 @@
+## [Unreleased]
+
+## [1.16.0] - 2022-10-08
+
+### Fixed
+
+- Remove padding oracle by @btoews in https://github.com/nov/json-jwt/pull/109
+
+## [1.16.0] - 2022-10-08
+
+### Added
+
+- start recording CHANGELOG
+
+### Changed
+
+* Switch from httpclient to faraday v2 https://github.com/nov/json-jwt/pull/110

data/README.md

@@ -2,8 +2,6 @@
 
 JSON Web Token and its family (JSON Web Signature, JSON Web Encryption and JSON Web Key) in Ruby
 
-[![Build Status](https://secure.travis-ci.org/nov/json-jwt.png)](http://travis-ci.org/nov/json-jwt)
-
 ## Installation
 
 ```

data/VERSION

@@ -1 +1 @@
-1.15.3
+1.16.3

data/json-jwt.gemspec

@@ -16,7 +16,8 @@ Gem::Specification.new do |gem|
   gem.add_runtime_dependency 'activesupport', '>= 4.2'
   gem.add_runtime_dependency 'bindata'
   gem.add_runtime_dependency 'aes_key_wrap'
-  gem.add_runtime_dependency 'httpclient'
+  gem.add_runtime_dependency 'faraday', '~> 2.0'
+  gem.add_runtime_dependency 'faraday-follow_redirects'
   gem.add_development_dependency 'rake'
   gem.add_development_dependency 'simplecov'
   gem.add_development_dependency 'webmock'

data/lib/json/jwe.rb

@@ -43,9 +43,12 @@ module JSON
       raise UnexpectedAlgorithm.new('Unexpected alg header') unless algorithms.blank? || Array(algorithms).include?(alg)
       raise UnexpectedAlgorithm.new('Unexpected enc header') unless encryption_methods.blank? || Array(encryption_methods).include?(enc)
       self.private_key_or_secret = with_jwk_support private_key_or_secret
-      cipher.decrypt
       self.content_encryption_key = decrypt_content_encryption_key
       self.mac_key, self.encryption_key = derive_encryption_and_mac_keys
+
+      verify_cbc_authentication_tag! if cbc?
+
+      cipher.decrypt
       cipher.key = encryption_key
       cipher.iv = iv # NOTE: 'iv' has to be set after 'key' for GCM
       if gcm?
@@ -54,8 +57,15 @@ module JSON
         cipher.auth_tag = authentication_tag
         cipher.auth_data = auth_data
       end
-      self.plain_text = cipher.update(cipher_text) + cipher.final
-      verify_cbc_authentication_tag! if cbc?
+
+      begin
+        self.plain_text = cipher.update(cipher_text) + cipher.final
+      rescue OpenSSL::OpenSSLError
+        # Ensure that the same error is raised for invalid PKCS7 padding
+        # as for invalid signatures. This prevents padding-oracle attacks.
+        raise DecryptionFailed
+      end
+
       self
     end
 
@@ -244,7 +254,7 @@ module JSON
         sha_digest, mac_key, secured_input
       )[0, sha_size / 2 / 8]
       unless secure_compare(authentication_tag, expected_authentication_tag)
-        raise DecryptionFailed.new('Invalid authentication tag')
+        raise DecryptionFailed
       end
     end
 

data/lib/json/jwk/set/fetcher.rb

@@ -6,6 +6,8 @@ module JSON
           def fetch(cache_key, options = {})
             yield
           end
+
+          def delete(cache_key, options = {}); end
         end
 
         def self.logger
@@ -36,17 +38,13 @@ module JSON
         self.debugging = false
 
         def self.http_client
-          _http_client_ = HTTPClient.new(
-            agent_name: "JSON::JWK::Set::Fetcher (#{JSON::JWT::VERSION})"
-          )
-
-          # NOTE: httpclient gem seems stopped maintaining root certtificate set, use OS default.
-          _http_client_.ssl_config.clear_cert_store
-          _http_client_.ssl_config.cert_store.set_default_paths
-
-          _http_client_.request_filter << Debugger::RequestFilter.new if debugging?
-          http_config.try(:call, _http_client_)
-          _http_client_
+          Faraday.new(headers: {user_agent: "JSON::JWK::Set::Fetcher #{VERSION}"}) do |faraday|
+            faraday.response :raise_error
+            faraday.response :follow_redirects
+            faraday.response :logger, JSON::JWK::Set::Fetcher.logger if debugging?
+            faraday.adapter Faraday.default_adapter
+            http_config.try(:call, faraday)
+          end
         end
         def self.http_config(&block)
           @@http_config ||= block
@@ -70,10 +68,11 @@ module JSON
           jwks = Set.new(
             JSON.parse(
               cache.fetch(cache_key, options) do
-                http_client.get_content(jwks_uri)
+                http_client.get(jwks_uri).body
               end
             )
           )
+          cache.delete(cache_key, options) if jwks[kid].blank?
 
           if auto_detect
             jwks[kid] or raise KidNotFound

data/lib/json/jwt.rb

@@ -1,6 +1,7 @@
 require 'openssl'
 require 'base64'
-require 'httpclient'
+require 'faraday'
+require 'faraday/follow_redirects'
 require 'active_support'
 require 'active_support/core_ext'
 require 'json/jose'
@@ -137,5 +138,4 @@ require 'json/jwe'
 require 'json/jwk'
 require 'json/jwk/jwkizable'
 require 'json/jwk/set'
-require 'json/jwk/set/fetcher'
-require 'json/jwk/set/fetcher/debugger/request_filter'
+require 'json/jwk/set/fetcher'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: json-jwt
 version: !ruby/object:Gem::Version
-  version: 1.15.3
+  version: 1.16.3
 platform: ruby
 authors:
 - nov matake
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-08-18 00:00:00.000000000 Z
+date: 2023-01-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -53,7 +53,21 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: httpclient
+  name: faraday
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: faraday-follow_redirects
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -145,11 +159,11 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".github/FUNDING.yml"
-- ".github/workflows/test_ruby.yml"
+- ".github/workflows/spec.yml"
 - ".gitignore"
 - ".gitmodules"
 - ".rspec"
-- ".travis.yml"
+- CHANGELOG.md
 - Gemfile
 - LICENSE
 - README.md
@@ -162,7 +176,6 @@ files:
 - lib/json/jwk/jwkizable.rb
 - lib/json/jwk/set.rb
 - lib/json/jwk/set/fetcher.rb
-- lib/json/jwk/set/fetcher/debugger/request_filter.rb
 - lib/json/jws.rb
 - lib/json/jwt.rb
 homepage: https://github.com/nov/json-jwt
@@ -184,7 +197,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.6
+rubygems_version: 3.3.26
 signing_key:
 specification_version: 4
 summary: JSON Web Token and its family (JSON Web Signature, JSON Web Encryption and

data/.travis.yml

@@ -1,12 +0,0 @@
-before_install:
-  - gem install bundler
-  - git submodule update --init --recursive
-
-rvm:
-  - 2.6.10
-  - 2.7.6
-  - 3.0.4
-  - 3.1.2
-
-jdk:
-  - openjdk11

data/lib/json/jwk/set/fetcher/debugger/request_filter.rb

@@ -1,34 +0,0 @@
-module JSON
-  class JWK
-    class Set
-      module Fetcher
-        module Debugger
-          class RequestFilter
-            # Callback called in HTTPClient (before sending a request)
-            # request:: HTTP::Message
-            def filter_request(request)
-              started = "======= [JSON::JWK::Set::Fetcher] HTTP REQUEST STARTED ======="
-              log started, request.dump
-            end
-
-            # Callback called in HTTPClient (after received a response)
-            # request::  HTTP::Message
-            # response:: HTTP::Message
-            def filter_response(request, response)
-              finished = "======= [JSON::JWK::Set::Fetcher] HTTP REQUEST FINISHED ======="
-              log '-' * 50, response.dump, finished
-            end
-
-            private
-
-            def log(*outputs)
-              outputs.each do |output|
-                JSON::JWK::Set::Fetcher.logger.info output
-              end
-            end
-          end
-        end
-      end
-    end
-  end
-end