ruby-jwt icon indicating copy to clipboard operation
ruby-jwt copied to clipboard

Published 20 hours ago verified publisher icon jwt

Certain non-JWT but decodable strings cause "TypeError: no implicit conversion of String into Integer" on decode

Open dmcinnes opened this issue 2 years ago • 1 comments

This is a bit of an edge case, but it's caused some confusion for us.

If a string is given with segments that can be Base64.urlsafe_decode64 but doesn't match up to the expectation of a JWT, a TypeError: no implicit conversion of String into Integer is raised instead of a JWT::DecodeError.

An example string is Mw.x.x -- the first segment is decoded as the number 3 for the header which later causes this line to raise the TypeError: no implicit conversion of String into Integer: https://github.com/jwt/ruby-jwt/blob/1fd5b7a8233ea56af03bafaa80ca02a3fc67ac61/lib/jwt/decode.rb#L37

dmcinnes avatar Feb 11 '22 22:02 dmcinnes

I think we could be a little stricter on the type validation for the header.

Im guessing there is something in the JWT RFC saying the headers needs to be an object with a certain set of attributes.

Adding raise(JWT::IncorrectAlgorithm, 'Invalid header') unless header.is_a?(Hash) somewhere maybe

anakinj avatar Feb 23 '22 14:02 anakinj