Comments (3)
ycrumeyrolle
commented on June 18, 2024
Generally speaking, getting the raw bytes via
ValueSpanand then usingSequenceEqualprobably isn't what you want to do unless you control the input or only want to support the exact bytes.
I want to support the exact match as the propertie names are registred values.
But...
as defined in the JWS RFC,
For security reasons, the representations of these names must be compared verbatim after performing any escape processing
So I have to support escaped properties.
The properties detection may be rewrite with ValueTextEqual instead of bytes comparison as proposed.
Also, is the JSON input here trusted or known to be valid UTF-8?
The JSON input is not trusted at all. Even if there is a signature validation, we have to read a part of the JSON before.
It should be a valid UTF-8 encoded string, but it may be a malicious string.
Do you have any example of malformed UTF-8 that may cause security issue?
from jwt.
ahsonkhan
commented on June 18, 2024
It should be a valid UTF-8 encoded string, but it may be a malicious string.
What do you mean by malicious?
Do you have any example of malformed UTF-8 that may cause security issue?
I don't know. I would assume yes. Within the context of matching for equality on known utf8 bytes, it shouldn't matter.
from jwt.
ycrumeyrolle
commented on June 18, 2024
Fixed by #325
from jwt.
Related Issues (20)
- Better support multiple issuers HOT 2
- Use an `IBufferWriter` when decompressing a JWT HOT 1
- Extract JWK logic into a separate assembly
- Extract cryptography logic into a separate assembly
- Signature validation fails when no signature algorithm is specified HOT 4
- Operation is not supported on this platform. HOT 8
- AES-GCM key wrapping is generating a nonce with low entropy
- Adds support for encrypted JWK
- Adds a CLI HOT 1
- MacOS build fail
- Adding already existing member to JsonObject creates a duplicate
- JwsDescriptor.Payload setter weird behavior. HOT 7
- Typo in the AlgorithmId.ES256X? HOT 4
- What is the meaning of 'defaultAlgorithm'? HOT 1
- JWKS ToString broken on 1.9.1 HOT 2
- Manual refresh for JwksHttpKeyProvider HOT 2
- Read SignatureAlgorithm from X509Certificate if available HOT 14
- https://jwt.io/#debugger-io?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.3ZlNebfhKEZ_HqKPIZFoI6Ro_YBlS7z2Oct4zfleOIk HOT 1
- Encrypted key present in ECDH-ES algorithm results in Invalid JWE HOT 9
- Hash-Algorithm for key derivation (ECDH-ES) HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from jwt.