Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update go-jose to v4 #2597

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

chore(deps): update go-jose to v4 #2597

wants to merge 4 commits into from

Conversation

kvanzuijlen
Copy link
Member

@kvanzuijlen kvanzuijlen commented Apr 7, 2024
edited

Description

Updates go-jose from v3 to v4

go-jose/go-jose (github.com/go-jose/go-jose/v3)

v4.0.1

Compare Source

Fixed

  • An attacker could send a JWE containing compressed data that used large
    amounts of memory and CPU when decompressed by Decrypt or DecryptMulti.
    Those functions now return an error if the decompressed data would exceed
    250kB or 10x the compressed size (whichever is larger). Thanks to
    Enze Wang@Alioth and Jianjun Chen@Zhongguancun Lab (@​zer0yu and @​chenjj)
    for reporting.

v4.0.0

Compare Source

This release makes some breaking changes in order to more thoroughly address the vulnerabilities discussed in Three New Attacks Against JSON Web Tokens, "Sign/encrypt confusion", "Billion hash attack", and "Polyglot token".

Changed

  • Limit JWT encryption types (exclude password or public key types) (#​78)

  • Enforce minimum length for HMAC keys (#​85)

  • jwt: match any audience in a list, rather than requiring all audiences (#​81)

  • jwt: accept only Compact Serialization (#​75)

  • jws: Add expected algorithms for signatures (#​74)

  • Require specifying expected algorithms for ParseEncrypted,
    ParseSigned, ParseDetached, jwt.ParseEncrypted, jwt.ParseSigned,
    jwt.ParseSignedAndEncrypted (#​69, #​74)

    • Usually there is a small, known set of appropriate algorithms for a program
      to use and it's a mistake to allow unexpected algorithms. For instance the
      "billion hash attack" relies in part on programs accepting the PBES2
      encryption algorithm and doing the necessary work even if they weren't
      specifically configured to allow PBES2.

  • Revert "Strip padding off base64 strings" (#​82)

  • The specs require base64url encoding without padding.

  • Minimum supported Go version is now 1.21

Added

  • ParseSignedCompact, ParseSignedJSON, ParseEncryptedCompact, ParseEncryptedJSON.

    • These allow parsing a specific serialization, as opposed to ParseSigned and
      ParseEncrypted, which try to automatically detect which serialization was
      provided. It's common to require a specific serialization for a specific
      protocol - for instance JWT requires Compact serialization.

Motivation and Context

go-jose was outdated, this will update it to the latest major

How Has This Been Tested?

Tests will run on this PR

Checklist:

  • My change requires a change to the documentation or CHANGELOG.
  • I have updated the documentation/CHANGELOG accordingly.
  • I have created a feature (non-master) branch for my PR.
  • I have written tests for my code changes.

@kvanzuijlen kvanzuijlen requested a review from a team as a code owner April 7, 2024 08:53
@github-actions github-actions bot added dependencies Pull requests that update a dependency file go tests provider labels Apr 7, 2024
@github-actions github-actions bot added the docs label Apr 7, 2024
@kvanzuijlen kvanzuijlen mentioned this pull request Apr 7, 2024
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file docs go provider tests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@kvanzuijlen