jwt icon indicating copy to clipboard operation
jwt copied to clipboard

Published 20 hours ago verified publisher icon golang-jwt

Example code is memory insecure

Open lggomez opened this issue 3 years ago • 5 comments

Migrated from https://github.com/dgrijalva/jwt-go/issues/441:

Comments @gardc gardc commented on Nov 21, 2020 •

Referring to this example (https://godoc.org/github.com/dgrijalva/jwt-go#example-Parse--Hmac) pointed to by the readme, feeding it an invalid JWT will create a memory panic.

Go playground example. (https://play.golang.org/p/wyOgm21FYE8)

Checking for err and token.Valid before assuming it's all good in the hood fixes the issue, Go playground example. (https://play.golang.org/p/0sX-54gXfE2)

lggomez avatar Aug 03 '21 12:08 lggomez

@johnbalvin johnbalvin commented on Nov 26, 2020

just check the error https://play.golang.org/p/LG0AFYMhGQm

lggomez avatar Aug 03 '21 12:08 lggomez

FWIW, here's the repro using this package: https://play.golang.org/p/ym1qpfvFdZS

lggomez avatar Aug 03 '21 12:08 lggomez

Related issue: https://github.com/dgrijalva/jwt-go/issues/379

lggomez avatar Aug 03 '21 12:08 lggomez

Could I raise a PR to fix this example?

jackaitken avatar Apr 28 '23 23:04 jackaitken

Could I raise a PR to fix this example?

Sure go ahead, although I am not sure if we already fixed this over time now

oxisto avatar Apr 29 '23 14:04 oxisto