json-jwt 1.15.3 → 1.16.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0bc8f7f5b23b61360c4b6a72c253b52beb5f7226ebf441d6a6561729155ea55d
-  data.tar.gz: 7175e7ea9121d74d633bb32ce6f88e2d50ddbc3b0109426c562508e40a119727
+  metadata.gz: 67d205daa24111b954cc01c6b9b68baf98c0f932a6afc02c86ca0ff766d4bdd2
+  data.tar.gz: e2d61533659adb4d6d99314aeb0ff7581c1806a09604d4060e0433ceadc82c47
 SHA512:
-  metadata.gz: f169ddb8eafd2b66e84c8fd32328793e040477a376ab7dfedef29990d330afa667f5f563bc540a0479b095cc2c16cb38b6bb7a7a6c9842656ea41425e63c87b7
-  data.tar.gz: 53e010725185c4acab07988025b1dd70d7def52f27c285ed502a21f1d8e8ad1eedca780db14378824ff7891fbd852265b06a2256281c5a07d40545487ad9241c
+  metadata.gz: 23bfcadd5ef026d90357e2c9501783811f2e10d9a4950269024e4181a8c3b235077066bf0da00d8334159bf4d8d69ddd49754f60e1a93dcef0f4b5a9bb531118
+  data.tar.gz: 3b22c8b470f40c0b392a1236aad0b2921bc629e915351d41db384ad9c302926c4144be36f859b6e70242c15ca909e69535a0abeac4a3ed1f7d01f2397811796d

data/.github/workflows/{test_ruby.yml → spec.yml}

@@ -1,22 +1,23 @@
-name: Test Ruby
+name: Spec
 
 on:
   push:
+    branches:
+      - main
   pull_request:
 
 permissions:
   contents: read
 
 jobs:
-  test:
+  spec:
     strategy:
       matrix:
-        os: ['ubuntu-20.04']
-        ruby-version: ['2.6', '2.7', '3.0', '3.1']
-        # ubuntu 22.04 only supports ssl 3 and thus only ruby 3.1
+        os: ['ubuntu-20.04', 'ubuntu-22.04']
+        ruby-version: ['3.1', '3.2', '3.3']
         include:
-        - os: 'ubuntu-22.04'
-          ruby-version: '3.1'
+        - os: 'ubuntu-20.04'
+          ruby-version: '3.0'
     runs-on: ${{ matrix.os }}
 
     steps:
@@ -26,5 +27,5 @@ jobs:
       with:
         ruby-version: ${{ matrix.ruby-version }}
         bundler-cache: true
-    - name: Run tests
-      run: bundle exec rake
+    - name: Run Specs
+      run: bundle exec rake spec

data/CHANGELOG.md

@@ -0,0 +1,17 @@
+## [Unreleased]
+
+## [1.16.0] - 2022-10-08
+
+### Fixed
+
+- Remove padding oracle by @btoews in https://github.com/nov/json-jwt/pull/109
+
+## [1.16.0] - 2022-10-08
+
+### Added
+
+- start recording CHANGELOG
+
+### Changed
+
+* Switch from httpclient to faraday v2 https://github.com/nov/json-jwt/pull/110

data/README.md

@@ -2,8 +2,6 @@
 
 JSON Web Token and its family (JSON Web Signature, JSON Web Encryption and JSON Web Key) in Ruby
 
-[![Build Status](https://secure.travis-ci.org/nov/json-jwt.png)](http://travis-ci.org/nov/json-jwt)
-
 ## Installation
 
 ```

data/VERSION

@@ -1 +1 @@
-1.15.3
+1.16.6

data/json-jwt.gemspec

@@ -14,9 +14,11 @@ Gem::Specification.new do |gem|
   gem.require_paths = ['lib']
   gem.required_ruby_version = '>= 2.4'
   gem.add_runtime_dependency 'activesupport', '>= 4.2'
+  gem.add_runtime_dependency 'base64'
   gem.add_runtime_dependency 'bindata'
   gem.add_runtime_dependency 'aes_key_wrap'
-  gem.add_runtime_dependency 'httpclient'
+  gem.add_runtime_dependency 'faraday', '~> 2.0'
+  gem.add_runtime_dependency 'faraday-follow_redirects'
   gem.add_development_dependency 'rake'
   gem.add_development_dependency 'simplecov'
   gem.add_development_dependency 'webmock'

data/lib/json/jwe.rb

@@ -43,9 +43,12 @@ module JSON
       raise UnexpectedAlgorithm.new('Unexpected alg header') unless algorithms.blank? || Array(algorithms).include?(alg)
       raise UnexpectedAlgorithm.new('Unexpected enc header') unless encryption_methods.blank? || Array(encryption_methods).include?(enc)
       self.private_key_or_secret = with_jwk_support private_key_or_secret
-      cipher.decrypt
       self.content_encryption_key = decrypt_content_encryption_key
       self.mac_key, self.encryption_key = derive_encryption_and_mac_keys
+
+      verify_cbc_authentication_tag! if cbc?
+
+      cipher.decrypt
       cipher.key = encryption_key
       cipher.iv = iv # NOTE: 'iv' has to be set after 'key' for GCM
       if gcm?
@@ -54,8 +57,15 @@ module JSON
         cipher.auth_tag = authentication_tag
         cipher.auth_data = auth_data
       end
-      self.plain_text = cipher.update(cipher_text) + cipher.final
-      verify_cbc_authentication_tag! if cbc?
+
+      begin
+        self.plain_text = cipher.update(cipher_text) + cipher.final
+      rescue OpenSSL::OpenSSLError
+        # Ensure that the same error is raised for invalid PKCS7 padding
+        # as for invalid signatures. This prevents padding-oracle attacks.
+        raise DecryptionFailed
+      end
+
       self
     end
 
@@ -244,7 +254,7 @@ module JSON
         sha_digest, mac_key, secured_input
       )[0, sha_size / 2 / 8]
       unless secure_compare(authentication_tag, expected_authentication_tag)
-        raise DecryptionFailed.new('Invalid authentication tag')
+        raise DecryptionFailed
       end
     end
 

data/lib/json/jwk/set/fetcher.rb

@@ -6,6 +6,8 @@ module JSON
           def fetch(cache_key, options = {})
             yield
           end
+
+          def delete(cache_key, options = {}); end
         end
 
         def self.logger
@@ -36,17 +38,13 @@ module JSON
         self.debugging = false
 
         def self.http_client
-          _http_client_ = HTTPClient.new(
-            agent_name: "JSON::JWK::Set::Fetcher (#{JSON::JWT::VERSION})"
-          )
-
-          # NOTE: httpclient gem seems stopped maintaining root certtificate set, use OS default.
-          _http_client_.ssl_config.clear_cert_store
-          _http_client_.ssl_config.cert_store.set_default_paths
-
-          _http_client_.request_filter << Debugger::RequestFilter.new if debugging?
-          http_config.try(:call, _http_client_)
-          _http_client_
+          Faraday.new(headers: {user_agent: "JSON::JWK::Set::Fetcher #{VERSION}"}) do |faraday|
+            faraday.response :raise_error
+            faraday.response :follow_redirects
+            faraday.response :logger, JSON::JWK::Set::Fetcher.logger if debugging?
+            faraday.adapter Faraday.default_adapter
+            http_config.try(:call, faraday)
+          end
         end
         def self.http_config(&block)
           @@http_config ||= block
@@ -70,10 +68,11 @@ module JSON
           jwks = Set.new(
             JSON.parse(
               cache.fetch(cache_key, options) do
-                http_client.get_content(jwks_uri)
+                http_client.get(jwks_uri).body
               end
             )
           )
+          cache.delete(cache_key, options) if jwks[kid].blank?
 
           if auto_detect
             jwks[kid] or raise KidNotFound

data/lib/json/jws.rb

@@ -124,7 +124,8 @@ module JSON
       public_key_or_secret = with_jwk_support public_key_or_secret
       case
       when hmac?
-        secure_compare sign(signature_base_string, public_key_or_secret), signature
+        secret = public_key_or_secret
+        secure_compare sign(signature_base_string, secret), signature
       when rsa?
         public_key = public_key_or_secret
         public_key.verify digest, signature, signature_base_string

data/lib/json/jwt.rb

@@ -1,6 +1,7 @@
 require 'openssl'
 require 'base64'
-require 'httpclient'
+require 'faraday'
+require 'faraday/follow_redirects'
 require 'active_support'
 require 'active_support/core_ext'
 require 'json/jose'
@@ -108,7 +109,11 @@ module JSON
         when JWS::NUM_OF_SEGMENTS
           JWS.decode_compact_serialized jwt_string, key_or_secret, algorithms, allow_blank_payload
         when JWE::NUM_OF_SEGMENTS
-          JWE.decode_compact_serialized jwt_string, key_or_secret, algorithms, encryption_methods
+          if allow_blank_payload
+            raise InvalidFormat.new("JWE w/ blank payload is not supported.")
+          else
+            JWE.decode_compact_serialized jwt_string, key_or_secret, algorithms, encryption_methods
+          end
         else
           raise InvalidFormat.new("Invalid JWT Format. JWT should include #{JWS::NUM_OF_SEGMENTS} or #{JWE::NUM_OF_SEGMENTS} segments.")
         end
@@ -137,5 +142,4 @@ require 'json/jwe'
 require 'json/jwk'
 require 'json/jwk/jwkizable'
 require 'json/jwk/set'
-require 'json/jwk/set/fetcher'
-require 'json/jwk/set/fetcher/debugger/request_filter'
+require 'json/jwk/set/fetcher'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: json-jwt
 version: !ruby/object:Gem::Version
-  version: 1.15.3
+  version: 1.16.6
 platform: ruby
 authors:
 - nov matake
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-08-18 00:00:00.000000000 Z
+date: 2024-03-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -24,6 +24,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '4.2'
+- !ruby/object:Gem::Dependency
+  name: base64
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: bindata
   requirement: !ruby/object:Gem::Requirement
@@ -53,7 +67,21 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: httpclient
+  name: faraday
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: faraday-follow_redirects
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -145,11 +173,11 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".github/FUNDING.yml"
-- ".github/workflows/test_ruby.yml"
+- ".github/workflows/spec.yml"
 - ".gitignore"
 - ".gitmodules"
 - ".rspec"
-- ".travis.yml"
+- CHANGELOG.md
 - Gemfile
 - LICENSE
 - README.md
@@ -162,7 +190,6 @@ files:
 - lib/json/jwk/jwkizable.rb
 - lib/json/jwk/set.rb
 - lib/json/jwk/set/fetcher.rb
-- lib/json/jwk/set/fetcher/debugger/request_filter.rb
 - lib/json/jws.rb
 - lib/json/jwt.rb
 homepage: https://github.com/nov/json-jwt
@@ -184,7 +211,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.6
+rubygems_version: 3.5.3
 signing_key:
 specification_version: 4
 summary: JSON Web Token and its family (JSON Web Signature, JSON Web Encryption and

data/.travis.yml

@@ -1,12 +0,0 @@
-before_install:
-  - gem install bundler
-  - git submodule update --init --recursive
-
-rvm:
-  - 2.6.10
-  - 2.7.6
-  - 3.0.4
-  - 3.1.2
-
-jdk:
-  - openjdk11

data/lib/json/jwk/set/fetcher/debugger/request_filter.rb

@@ -1,34 +0,0 @@
-module JSON
-  class JWK
-    class Set
-      module Fetcher
-        module Debugger
-          class RequestFilter
-            # Callback called in HTTPClient (before sending a request)
-            # request:: HTTP::Message
-            def filter_request(request)
-              started = "======= [JSON::JWK::Set::Fetcher] HTTP REQUEST STARTED ======="
-              log started, request.dump
-            end
-
-            # Callback called in HTTPClient (after received a response)
-            # request::  HTTP::Message
-            # response:: HTTP::Message
-            def filter_response(request, response)
-              finished = "======= [JSON::JWK::Set::Fetcher] HTTP REQUEST FINISHED ======="
-              log '-' * 50, response.dump, finished
-            end
-
-            private
-
-            def log(*outputs)
-              outputs.each do |output|
-                JSON::JWK::Set::Fetcher.logger.info output
-              end
-            end
-          end
-        end
-      end
-    end
-  end
-end