deen
deen copied to clipboard
JWT decoder crashes on nested signing or encryption
deen crashes with an exception if a JWT is decoded which contains a nested JWT [1].
Steps to reproduce:
- Start deen
- Enter the following JWT:
eyJ0eXAiOiJKV1QiLCJjdHkiOiJKV1QiLCJhbGciOiJub25lIn0.ZXlKemRXSWlPaUl4TWpNME5UWTNPRGt3SWl3aWJtRnRaU0k2SWtwdmFHNGdSRzlsSWl3aWFXRjBJam94TlRFMk1qTTVNREl5TENKbGVIQWlPakU1TVRZeU16a3dNako5LmRNRDNNTHVIVGlPLVF5OVB2T29NY2hOTTRDekZJZ0k3aktWclJ0bHFsTTA.
(header:{"typ":"JWT","cty":"JWT","alg":"none"}
; content:eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE5MTYyMzkwMjJ9.dMD3MLuHTiO-Qy9PvOoMchNM4CzFIgI7jKVrRtlqlM0
) - Select Decode, JWT
- deen crashes
Stack Trace:
[ ERROR - 2019-05-16 11:40:54,239 - deen.plugins.DeenPluginJwt - plugin_jwt.py:153 - unprocess() ] Invalid payload string: Expecting value: line 1 column 1 (char 0)
Traceback (most recent call last):
File "/usr/lib/python3.7/site-packages/deen/gui/encoder.py", line 462, in action
self._action()
File "/usr/lib/python3.7/site-packages/deen/gui/encoder.py", line 582, in _action
data = self.plugin.unprocess(self._content)
File "/usr/lib/python3.7/site-packages/deen/plugins/codecs/plugin_jwt.py", line 160, in unprocess
data_decoded = json.dumps(data)
File "/usr/lib/python3.7/json/__init__.py", line 231, in dumps
return _default_encoder.encode(obj)
File "/usr/lib/python3.7/json/encoder.py", line 199, in encode
chunks = self.iterencode(o, _one_shot=True)
File "/usr/lib/python3.7/json/encoder.py", line 257, in iterencode
return _iterencode(o, 0)
File "/usr/lib/python3.7/json/encoder.py", line 179, in default
raise TypeError(f'Object of type {o.__class__.__name__} '
TypeError: Object of type bytes is not JSON serializable
KCrash: crashing... crashRecursionCounter = 2
KCrash: Application Name = python3.7 path = /usr/bin pid = 7262
KCrash: Arguments: /usr/bin/python3.7
KCrash: Attempting to start /usr/lib/drkonqi from kdeinit
sock_file=/run/user/1000/kdeinit5__0
[1] + 7262 suspended (signal) deen
Installed Version: 2.0.0b5.1685b40-1
[1] https://tools.ietf.org/html/rfc7519#section-5.2
Crashes as well on MacOS on dev branch 077251feb190fbbb81a52473e981a33f1d5eba24
[ ERROR - 2019-05-16 12:01:36,875 - deen.plugins.DeenPluginJwt - plugin_jwt.py:153 - unprocess() ] Invalid payload string: Expecting value: line 1 column 1 (char 0)
Traceback (most recent call last):
File "/Users/user/Github/deen/deen/gui/encoder.py", line 499, in action
self._action()
File "/Users/user/Github/deen/deen/gui/encoder.py", line 615, in _action
data = self.plugin.unprocess(self._content)
File "/Users/user/Github/deen/deen/plugins/codecs/plugin_jwt.py", line 160, in unprocess
data_decoded = json.dumps(data)
File "/usr/local/Cellar/python/3.7.3/Frameworks/Python.framework/Versions/3.7/lib/python3.7/json/__init__.py", line 231, in dumps
return _default_encoder.encode(obj)
File "/usr/local/Cellar/python/3.7.3/Frameworks/Python.framework/Versions/3.7/lib/python3.7/json/encoder.py", line 199, in encode
chunks = self.iterencode(o, _one_shot=True)
File "/usr/local/Cellar/python/3.7.3/Frameworks/Python.framework/Versions/3.7/lib/python3.7/json/encoder.py", line 257, in iterencode
return _iterencode(o, 0)
File "/usr/local/Cellar/python/3.7.3/Frameworks/Python.framework/Versions/3.7/lib/python3.7/json/encoder.py", line 179, in default
raise TypeError(f'Object of type {o.__class__.__name__} '
TypeError: Object of type bytes is not JSON serializable
[1] 84990 abort python3 main.py
Please fix deen for MacOs 💯
It's a bug in python-jose
:
➜ ~ deen -v
[ ERROR - 2019-05-16 12:13:29,146 - deen.plugins.DeenPluginJwt - plugin_jwt.py:153 - unprocess() ] Invalid payload string: Expecting value: line 1 column 1 (char 0)
[ DEBUG - 2019-05-16 12:13:29,147 - deen.plugins.DeenPluginJwt - plugin_jwt.py:154 - unprocess() ] Invalid payload string: Expecting value: line 1 column 1 (char 0)
Traceback (most recent call last):
File "/usr/lib/python3.7/site-packages/jose/jwt.py", line 143, in decode
claims = json.loads(payload.decode('utf-8'))
File "/usr/lib/python3.7/json/__init__.py", line 348, in loads
return _default_decoder.decode(s)
File "/usr/lib/python3.7/json/decoder.py", line 337, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "/usr/lib/python3.7/json/decoder.py", line 355, in raw_decode
raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3.7/site-packages/deen/plugins/codecs/plugin_jwt.py", line 149, in unprocess
algorithms=[algo], options=options)
File "/usr/lib/python3.7/site-packages/jose/jwt.py", line 145, in decode
raise JWTError('Invalid payload string: %s' % e)
jose.exceptions.JWTError: Invalid payload string: Expecting value: line 1 column 1 (char 0)
It is the third bug in the JWT plugin that is related to this module. However, the bug report for the first one has been ignored and is still unfixed. Not sure if they will ever fix these issues.
I'm considering switching to a more stable module with a more stable implementation.