-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade golang-jwt to v4 #2699
Comments
@vishr, @lammel maybe it is time to delete JWT middleware from core (this repo) and direct everyone to https://github.com/labstack/echo-jwt I really dislike the idea of major version bump for this. I do not think upgrading JWT deps makes sense in this repo. It is a breaking change anyway. Upgrading to |
@inge4pres as a immediate remedy, please switch to using https://github.com/labstack/echo-jwt NB: make sure to create at lease one test in you app that uses jwt mw + you handler that checks for JWT Token. This is because people often have something like that func TestMyHandlerWithJWTMW(t *testing.T) {
e := echo.New()
// replace this with https://github.com/labstack/echo-jwt
e.Use(middleware.JWTWithConfig(middleware.JWTConfig{
SigningKey: []byte("secret"),
}))
req := httptest.NewRequest(http.MethodGet, "/", nil)
req.Header.Set(echo.HeaderAuthorization, "bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ")
res := httptest.NewRecorder()
// ADD HERE YOUR HANDLER TO ECHO to test
// `user = c.Get("user").(*jwt.Token)` not panicing due different JWT version
// That line would definetely panic if Echo would bump JWT version to v4/v5 but you did not upgrade JWT import in this handle .go file
//e.GET("/", myHandler)
e.ServeHTTP(res, req)
assert.Equal(t, http.StatusOK, res.Code)
} |
Guess this is the way to go. The echo core should require as view dependencies as possible to avoid backwards compatibility issues. Bumping versions for |
Thanks for your inputs folks. |
for history sake. This is previous breaking change related to JWT #1946 and discussion about that #1940 List of related issues and PRs #2701 (comment) |
Issue Description
The
golang-jwt
library imported in themiddleware
package suffers from a CVE.A fix is present in v5 or v5 of the library, but upgrading to v5 changes the API.
An upgrade to v4.5.1 is enough to fix the vuln.
Checklist
Expected behaviour
A SCA scan does not surface any vulnerabilities.
Actual behaviour
Vulnerabilty is flagged.
Version/commit
v4.12.0
The text was updated successfully, but these errors were encountered: