Skip to content

Commit

Permalink
Fixes #949 (#950)
Browse files Browse the repository at this point in the history
* Introduced try/finally block to guarantee consumable content InputStream is closed
  • Loading branch information
lhazlewood authored Jun 17, 2024
1 parent a7de554 commit 0c2d96c
Show file tree
Hide file tree
Showing 2 changed files with 39 additions and 33 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ This patch release:
* Ensures that after successful JWS signature verification, an application-configured Base64Url `Decoder` output is
used to construct a `Jws` instance (instead of JJWT's default decoder). See
[Issue 947](https://github.com/jwtk/jjwt/issues/947).
* Fixes a decompression memory leak in concurrent/multi-threaded environments introduced in 0.12.0 when decompressing JWTs with a `zip` header of `GZIP`. See [Issue 949](https://github.com/jwtk/jjwt/issues/949).

### 0.12.5

Expand Down
71 changes: 38 additions & 33 deletions impl/src/main/java/io/jsonwebtoken/impl/DefaultJwtParser.java
Original file line number Diff line number Diff line change
Expand Up @@ -597,43 +597,48 @@ private byte[] verifySignature(final TokenizedJwt tokenized, final JwsHeader jws
Claims claims = null;
byte[] payloadBytes = payload.getBytes();
if (payload.isConsumable()) {

InputStream in = payload.toInputStream();

if (!hasContentType(header)) { // If there is a content type set, then the application using JJWT is expected
// to convert the byte payload themselves based on this content type
// https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.10 :
//
// "This parameter is ignored by JWS implementations; any processing of this
// parameter is performed by the JWS application."
//
Map<String, ?> claimsMap = null;
try {
// if deserialization fails, we'll need to rewind to convert to a byte array. So if
// mark/reset isn't possible, we'll need to buffer:
if (!in.markSupported()) {
in = new BufferedInputStream(in);
in.mark(0);
}
claimsMap = deserialize(new UncloseableInputStream(in) /* Don't close in case we need to rewind */, "claims");
} catch (DeserializationException | MalformedJwtException ignored) { // not JSON, treat it as a byte[]
InputStream in = null;
try {
in = payload.toInputStream();

if (!hasContentType(header)) { // If there is a content type set, then the application using JJWT is expected
// to convert the byte payload themselves based on this content type
// https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.10 :
//
// "This parameter is ignored by JWS implementations; any processing of this
// parameter is performed by the JWS application."
//
Map<String, ?> claimsMap = null;
try {
// if deserialization fails, we'll need to rewind to convert to a byte array. So if
// mark/reset isn't possible, we'll need to buffer:
if (!in.markSupported()) {
in = new BufferedInputStream(in);
in.mark(0);
}
claimsMap = deserialize(new UncloseableInputStream(in) /* Don't close in case we need to rewind */, "claims");
} catch (DeserializationException |
MalformedJwtException ignored) { // not JSON, treat it as a byte[]
// String msg = "Invalid claims: " + e.getMessage();
// throw new MalformedJwtException(msg, e);
} finally {
Streams.reset(in);
}
if (claimsMap != null) {
try {
claims = new DefaultClaims(claimsMap);
} catch (Throwable t) {
String msg = "Invalid claims: " + t.getMessage();
throw new MalformedJwtException(msg);
} finally {
Streams.reset(in);
}
if (claimsMap != null) {
try {
claims = new DefaultClaims(claimsMap);
} catch (Throwable t) {
String msg = "Invalid claims: " + t.getMessage();
throw new MalformedJwtException(msg);
}
}
}
}
if (claims == null) {
// consumable, but not claims, so convert to byte array:
payloadBytes = Streams.bytes(in, "Unable to convert payload to byte array.");
if (claims == null) {
// consumable, but not claims, so convert to byte array:
payloadBytes = Streams.bytes(in, "Unable to convert payload to byte array.");
}
} finally { // always ensure closed per https://github.com/jwtk/jjwt/issues/949
Objects.nullSafeClose(in);
}
}

Expand Down

0 comments on commit 0c2d96c

Please sign in to comment.