jwt 2.10.2 → 2.10.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +8 -0
- data/lib/jwt/jwa/hmac.rb +9 -7
- data/lib/jwt/version.rb +1 -1
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 014554dde95af535e1c1b84fb4532d6a69ecf2391baaf21c69bbabefb91e4d1c
|
|
4
|
+
data.tar.gz: f309fd328b353d1ebc2f96e4938cd3d82bf1cc88ab3f94fbadb30027c98751d7
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: f6c6fc5f6ec227884cb6cbef16cf91063c29e81a58b3a0186b50dce86b66ea769bac89742e030f4db59097e67d263819bf3d73a6e1b3ca337eec65dc6219bedb
|
|
7
|
+
data.tar.gz: 8c62212530a0f8bb6405ed923a0bcfb50375ed63e51f5fe3570d59f7208a6d018434d2de8fefb932b1a2401920b615a69adc5b072be1238f7bf849fda823f26a
|
data/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,13 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
+
## [v2.10.3](https://github.com/jwt/ruby-jwt/tree/v2.10.3) (2026-05-22)
|
|
4
|
+
|
|
5
|
+
[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.10.2...v2.10.3)
|
|
6
|
+
|
|
7
|
+
**Fixes and enhancements:**
|
|
8
|
+
|
|
9
|
+
- Backport: Reject `nil` and empty HMAC keys when signing and verifying ([CVE-2026-45363](https://www.cve.org/CVERecord?id=CVE-2026-45363) / [GHSA-c32j-vqhx-rx3x](https://github.com/jwt/ruby-jwt/security/advisories/GHSA-c32j-vqhx-rx3x)) [#725](https://github.com/jwt/ruby-jwt/pull/725) ([@royzwambag](https://github.com/royzwambag))
|
|
10
|
+
|
|
3
11
|
## [v2.10.2](https://github.com/jwt/ruby-jwt/tree/v2.10.2) (2025-06-29)
|
|
4
12
|
|
|
5
13
|
[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.10.1...v2.10.2)
|
data/lib/jwt/jwa/hmac.rb
CHANGED
|
@@ -16,18 +16,15 @@ module JWT
|
|
|
16
16
|
end
|
|
17
17
|
|
|
18
18
|
def sign(data:, signing_key:)
|
|
19
|
-
signing_key
|
|
20
|
-
raise_verify_error!('HMAC key expected to be a String') unless signing_key.is_a?(String)
|
|
19
|
+
ensure_valid_key!(signing_key)
|
|
21
20
|
|
|
22
21
|
OpenSSL::HMAC.digest(digest.new, signing_key, data)
|
|
23
|
-
rescue OpenSSL::HMACError => e
|
|
24
|
-
raise_verify_error!('OpenSSL 3.0 does not support nil or empty hmac_secret') if signing_key == '' && e.message == 'EVP_PKEY_new_mac_key: malloc failure'
|
|
25
|
-
|
|
26
|
-
raise e
|
|
27
22
|
end
|
|
28
23
|
|
|
29
24
|
def verify(data:, signature:, verification_key:)
|
|
30
|
-
|
|
25
|
+
ensure_valid_key!(verification_key)
|
|
26
|
+
|
|
27
|
+
SecurityUtils.secure_compare(signature, OpenSSL::HMAC.digest(digest.new, verification_key, data))
|
|
31
28
|
end
|
|
32
29
|
|
|
33
30
|
register_algorithm(new('HS256', OpenSSL::Digest::SHA256))
|
|
@@ -38,6 +35,11 @@ module JWT
|
|
|
38
35
|
|
|
39
36
|
attr_reader :digest
|
|
40
37
|
|
|
38
|
+
def ensure_valid_key!(key)
|
|
39
|
+
raise_verify_error!('HMAC key expected to be a String') unless key.is_a?(String)
|
|
40
|
+
raise_verify_error!('HMAC key cannot be empty') if key.empty?
|
|
41
|
+
end
|
|
42
|
+
|
|
41
43
|
# Copy of https://github.com/rails/rails/blob/v7.0.3.1/activesupport/lib/active_support/security_utils.rb
|
|
42
44
|
# rubocop:disable Naming/MethodParameterName, Style/StringLiterals, Style/NumericPredicate
|
|
43
45
|
module SecurityUtils
|
data/lib/jwt/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: jwt
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.10.
|
|
4
|
+
version: 2.10.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Tim Rudat
|
|
@@ -194,7 +194,7 @@ licenses:
|
|
|
194
194
|
- MIT
|
|
195
195
|
metadata:
|
|
196
196
|
bug_tracker_uri: https://github.com/jwt/ruby-jwt/issues
|
|
197
|
-
changelog_uri: https://github.com/jwt/ruby-jwt/blob/v2.10.
|
|
197
|
+
changelog_uri: https://github.com/jwt/ruby-jwt/blob/v2.10.3/CHANGELOG.md
|
|
198
198
|
rubygems_mfa_required: 'true'
|
|
199
199
|
rdoc_options: []
|
|
200
200
|
require_paths:
|
|
@@ -210,7 +210,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
210
210
|
- !ruby/object:Gem::Version
|
|
211
211
|
version: '0'
|
|
212
212
|
requirements: []
|
|
213
|
-
rubygems_version:
|
|
213
|
+
rubygems_version: 4.0.10
|
|
214
214
|
specification_version: 4
|
|
215
215
|
summary: JSON Web Token implementation in Ruby
|
|
216
216
|
test_files: []
|