Deprecate/remove the parse() method

[sainaen]

Following the email thread “jjwt signature validation bypass” and a couple of issues here (#193, #90, plus several others related to the post in Auth0's blog):

At least some portion of JJWT users confuse the JwtParser#parse() to be the main method for parsing signed JWT-s, while in fact it will also happily parse unsigned JWT-s (even if alg header is set to something other than none.)

As a side note: I thought about proposing as a partial fix to make parse() throw if alg is not none and signature part is missing, but then decided against that, because it potentially could create an illusion of safety (“no signature → failure, I tested!”), while for the real attacker it's only one additional step to update alg header after stripping the signature.

[lhazlewood]

Yeah, we decided a while ago to remove this before 1.0 final (it was useful for some testing and 'power' scenarios). I'll leave this open to track that modification. Thanks!

[stefan2904]

fyi, today this issue was used in a security competition to perform an Elevation of Privilege attack: https://hack.more.systems/writeup/2017/05/31/SCTF2017-underconstruction/

[lhazlewood]

@stefan2904 yep, this is expected. Our documentation says don't use parse if you don't know what format the JWT is in. It will be removed before 1.0 final to prevent accidental misuse.

[lhazlewood]

Given that the final RFC specification requires the alg header be specified for a JWS and JWE, this issue may no longer be necessary such that parse will always have the information necessary to process a JWT safely. Leaving this open to keep as a tracker for research.

See https://tools.ietf.org/html/rfc7515#section-4.1.1 - first paragraph, last sentence - MUST.

[lhazlewood]

Per discussion here, this has been addressed in the jwe [#178] branch.

[lhazlewood]

jwe has been merged to master. This will be reflected in the 0.12.0 release.