From 08dcd86e5ddae83d2f811e6a6441f68f0a01e957 Mon Sep 17 00:00:00 2001 From: hongming Date: Wed, 2 Apr 2025 13:38:15 +0800 Subject: [PATCH] deps: bump github.com/golang-jwt/jwt/v4 to v4.5.2 (#6475) Signed-off-by: hongming --- go.mod | 4 +-- go.sum | 4 +-- vendor/github.com/golang-jwt/jwt/v4/parser.go | 36 +++++++++++++++++-- vendor/modules.txt | 4 +-- 4 files changed, 39 insertions(+), 9 deletions(-) diff --git a/go.mod b/go.mod index d2d8a4ddb..80b44e4c1 100644 --- a/go.mod +++ b/go.mod @@ -34,7 +34,7 @@ require ( github.com/go-openapi/strfmt v0.21.3 github.com/go-openapi/validate v0.22.0 github.com/go-redis/redis v6.15.2+incompatible - github.com/golang-jwt/jwt/v4 v4.5.1 + github.com/golang-jwt/jwt/v4 v4.5.2 github.com/golang/example v0.0.0-20170904185048-46695d81d1fa github.com/google/go-cmp v0.6.0 github.com/google/go-containerregistry v0.14.0 @@ -297,7 +297,7 @@ replace ( github.com/go-openapi/validate => github.com/go-openapi/validate v0.22.0 github.com/go-redis/redis => github.com/go-redis/redis v6.15.2+incompatible github.com/gogo/protobuf => github.com/gogo/protobuf v1.3.2 - github.com/golang-jwt/jwt/v4 => github.com/golang-jwt/jwt/v4 v4.5.1 + github.com/golang-jwt/jwt/v4 => github.com/golang-jwt/jwt/v4 v4.5.2 github.com/golang/example => github.com/golang/example v0.0.0-20170904185048-46695d81d1fa github.com/golang/glog => github.com/golang/glog v1.2.4 github.com/golang/protobuf => github.com/golang/protobuf v1.5.4 diff --git a/go.sum b/go.sum index 974dc3308..b33334324 100644 --- a/go.sum +++ b/go.sum @@ -1108,8 +1108,8 @@ github.com/godror/knownpb v0.1.1/go.mod h1:4nRFbQo1dDuwKnblRXDxrfCFYeT4hjg3GjMqe github.com/gofrs/flock v0.8.1/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= -github.com/golang-jwt/jwt/v4 v4.5.1 h1:JdqV9zKUdtaa9gdPlywC3aeoEsR681PlKC+4F5gQgeo= -github.com/golang-jwt/jwt/v4 v4.5.1/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= +github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI= +github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0= github.com/golang/example v0.0.0-20170904185048-46695d81d1fa h1:iqCQC2Z53KkwGgTN9szyL4q0OQHmuNjeoNnMT6lk66k= github.com/golang/example v0.0.0-20170904185048-46695d81d1fa/go.mod h1:tO/5UvQ/uKigUjQBPqzstj6uxd3fUIjddi19DxGJeWg= diff --git a/vendor/github.com/golang-jwt/jwt/v4/parser.go b/vendor/github.com/golang-jwt/jwt/v4/parser.go index 9dd36e5a5..0fc510a0a 100644 --- a/vendor/github.com/golang-jwt/jwt/v4/parser.go +++ b/vendor/github.com/golang-jwt/jwt/v4/parser.go @@ -7,6 +7,8 @@ import ( "strings" ) +const tokenDelimiter = "." + type Parser struct { // If populated, only these methods will be considered valid. // @@ -122,9 +124,10 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf // It's only ever useful in cases where you know the signature is valid (because it has // been checked previously in the stack) and you want to extract values from it. func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Token, parts []string, err error) { - parts = strings.Split(tokenString, ".") - if len(parts) != 3 { - return nil, parts, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed) + var ok bool + parts, ok = splitToken(tokenString) + if !ok { + return nil, nil, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed) } token = &Token{Raw: tokenString} @@ -174,3 +177,30 @@ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Toke return token, parts, nil } + +// splitToken splits a token string into three parts: header, claims, and signature. It will only +// return true if the token contains exactly two delimiters and three parts. In all other cases, it +// will return nil parts and false. +func splitToken(token string) ([]string, bool) { + parts := make([]string, 3) + header, remain, ok := strings.Cut(token, tokenDelimiter) + if !ok { + return nil, false + } + parts[0] = header + claims, remain, ok := strings.Cut(remain, tokenDelimiter) + if !ok { + return nil, false + } + parts[1] = claims + // One more cut to ensure the signature is the last part of the token and there are no more + // delimiters. This avoids an issue where malicious input could contain additional delimiters + // causing unecessary overhead parsing tokens. + signature, _, unexpected := strings.Cut(remain, tokenDelimiter) + if unexpected { + return nil, false + } + parts[2] = signature + + return parts, true +} diff --git a/vendor/modules.txt b/vendor/modules.txt index 92cb7a6a1..110cc687e 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -458,7 +458,7 @@ github.com/gogo/protobuf/gogoproto github.com/gogo/protobuf/proto github.com/gogo/protobuf/protoc-gen-gogo/descriptor github.com/gogo/protobuf/sortkeys -# github.com/golang-jwt/jwt/v4 v4.5.1 => github.com/golang-jwt/jwt/v4 v4.5.1 +# github.com/golang-jwt/jwt/v4 v4.5.2 => github.com/golang-jwt/jwt/v4 v4.5.2 ## explicit; go 1.16 github.com/golang-jwt/jwt/v4 # github.com/golang/example v0.0.0-20170904185048-46695d81d1fa => github.com/golang/example v0.0.0-20170904185048-46695d81d1fa @@ -2465,7 +2465,7 @@ sigs.k8s.io/yaml/goyaml.v3 # github.com/go-openapi/validate => github.com/go-openapi/validate v0.22.0 # github.com/go-redis/redis => github.com/go-redis/redis v6.15.2+incompatible # github.com/gogo/protobuf => github.com/gogo/protobuf v1.3.2 -# github.com/golang-jwt/jwt/v4 => github.com/golang-jwt/jwt/v4 v4.5.1 +# github.com/golang-jwt/jwt/v4 => github.com/golang-jwt/jwt/v4 v4.5.2 # github.com/golang/example => github.com/golang/example v0.0.0-20170904185048-46695d81d1fa # github.com/golang/glog => github.com/golang/glog v1.2.4 # github.com/golang/protobuf => github.com/golang/protobuf v1.5.4