-
Notifications
You must be signed in to change notification settings - Fork 361
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix issue with MapClaims VerifyAudience []string #12
Conversation
There was an issue in MapClaims's VerifyAudiance where a []string (which is valid in the spec) would return true (claim is found, or nil) when required was not set. It now checks interface types correctly and has tests written Signed-off-by: Alistair Hey <[email protected]>
This is validating against this part of the RFC https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3
|
Ah perfect, a fix without touching the claims struct 👍 |
Starting with Go 1.7, since this is the lowest version still working, once we merge in #12. We can then gradually move upwards.
Have we decided what go versions to support and if we are using github actions OR travis ? |
Keep aud validation using constant time compare by not instantly returning on a true comparison, keep comparing all options and store result in a variable Signed-off-by: Alistair Hey <[email protected]>
Basically I have enabled GH actions for those versions we want to support (>= 1.11). Travis has 1.7-1.10 currently. My idea is then to gradually remove versions from it (Travis), when PRs reasonably demand it, until Travis can be removed completely. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
andygrunwald#343 https://github.com/dgrijalva/jwt-go has been abondoned (see dgrijalva/jwt-go#462). In order to fix the vulnarability we have to switch to a community driven fork https://github.com/golang-jwt/jwt . The issue has been fixed in golang-jwt/jwt#12
andygrunwald#343 https://github.com/dgrijalva/jwt-go has been abondoned (see dgrijalva/jwt-go#462). In order to fix the vulnarability we have to switch to a community driven fork https://github.com/golang-jwt/jwt . The issue has been fixed in golang-jwt/jwt#12
andygrunwald#343 https://github.com/dgrijalva/jwt-go has been abondoned (see dgrijalva/jwt-go#462). In order to fix the vulnarability we have to switch to a community driven fork https://github.com/golang-jwt/jwt . The issue has been fixed in golang-jwt/jwt#12 (cherry picked from commit fff481a)
andygrunwald#343 https://github.com/dgrijalva/jwt-go has been abondoned (see dgrijalva/jwt-go#462). In order to fix the vulnarability we have to switch to a community driven fork https://github.com/golang-jwt/jwt . The issue has been fixed in golang-jwt/jwt#12 (cherry picked from commit fff481a) Co-authored-by: Yar Krvtsov <[email protected]>
There was an issue in MapClaims's VerifyAudiance where a []string (which
is valid in the spec) would return true (claim is found, or nil) when required
was not set.
It now checks interface types correctly and has tests written
Fixes: #6
Signed-off-by: Alistair Hey [email protected]