deen icon indicating copy to clipboard operation
deen copied to clipboard

Published 20 hours ago verified publisher icon takeshixx

JWT decoder crashes on nested signing or encryption

Open SvenTo opened this issue 5 years ago • 2 comments

deen crashes with an exception if a JWT is decoded which contains a nested JWT [1].

Steps to reproduce:

  • Start deen
  • Enter the following JWT: eyJ0eXAiOiJKV1QiLCJjdHkiOiJKV1QiLCJhbGciOiJub25lIn0.ZXlKemRXSWlPaUl4TWpNME5UWTNPRGt3SWl3aWJtRnRaU0k2SWtwdmFHNGdSRzlsSWl3aWFXRjBJam94TlRFMk1qTTVNREl5TENKbGVIQWlPakU1TVRZeU16a3dNako5LmRNRDNNTHVIVGlPLVF5OVB2T29NY2hOTTRDekZJZ0k3aktWclJ0bHFsTTA. (header: {"typ":"JWT","cty":"JWT","alg":"none"}; content: eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE5MTYyMzkwMjJ9.dMD3MLuHTiO-Qy9PvOoMchNM4CzFIgI7jKVrRtlqlM0)
  • Select Decode, JWT
  • deen crashes

Stack Trace:

[ ERROR - 2019-05-16 11:40:54,239 - deen.plugins.DeenPluginJwt - plugin_jwt.py:153 - unprocess() ] Invalid payload string: Expecting value: line 1 column 1 (char 0)
Traceback (most recent call last):
  File "/usr/lib/python3.7/site-packages/deen/gui/encoder.py", line 462, in action
    self._action()
  File "/usr/lib/python3.7/site-packages/deen/gui/encoder.py", line 582, in _action
    data = self.plugin.unprocess(self._content)
  File "/usr/lib/python3.7/site-packages/deen/plugins/codecs/plugin_jwt.py", line 160, in unprocess
    data_decoded = json.dumps(data)
  File "/usr/lib/python3.7/json/__init__.py", line 231, in dumps
    return _default_encoder.encode(obj)
  File "/usr/lib/python3.7/json/encoder.py", line 199, in encode
    chunks = self.iterencode(o, _one_shot=True)
  File "/usr/lib/python3.7/json/encoder.py", line 257, in iterencode
    return _iterencode(o, 0)
  File "/usr/lib/python3.7/json/encoder.py", line 179, in default
    raise TypeError(f'Object of type {o.__class__.__name__} '
TypeError: Object of type bytes is not JSON serializable
KCrash: crashing... crashRecursionCounter = 2
KCrash: Application Name = python3.7 path = /usr/bin pid = 7262
KCrash: Arguments: /usr/bin/python3.7 
KCrash: Attempting to start /usr/lib/drkonqi from kdeinit
sock_file=/run/user/1000/kdeinit5__0
[1]  + 7262 suspended (signal)  deen

Installed Version: 2.0.0b5.1685b40-1

[1] https://tools.ietf.org/html/rfc7519#section-5.2

SvenTo avatar May 16 '19 09:05 SvenTo

Crashes as well on MacOS on dev branch 077251feb190fbbb81a52473e981a33f1d5eba24

[ ERROR - 2019-05-16 12:01:36,875 - deen.plugins.DeenPluginJwt - plugin_jwt.py:153 - unprocess() ] Invalid payload string: Expecting value: line 1 column 1 (char 0)
Traceback (most recent call last):
  File "/Users/user/Github/deen/deen/gui/encoder.py", line 499, in action
    self._action()
  File "/Users/user/Github/deen/deen/gui/encoder.py", line 615, in _action
    data = self.plugin.unprocess(self._content)
  File "/Users/user/Github/deen/deen/plugins/codecs/plugin_jwt.py", line 160, in unprocess
    data_decoded = json.dumps(data)
  File "/usr/local/Cellar/python/3.7.3/Frameworks/Python.framework/Versions/3.7/lib/python3.7/json/__init__.py", line 231, in dumps
    return _default_encoder.encode(obj)
  File "/usr/local/Cellar/python/3.7.3/Frameworks/Python.framework/Versions/3.7/lib/python3.7/json/encoder.py", line 199, in encode
    chunks = self.iterencode(o, _one_shot=True)
  File "/usr/local/Cellar/python/3.7.3/Frameworks/Python.framework/Versions/3.7/lib/python3.7/json/encoder.py", line 257, in iterencode
    return _iterencode(o, 0)
  File "/usr/local/Cellar/python/3.7.3/Frameworks/Python.framework/Versions/3.7/lib/python3.7/json/encoder.py", line 179, in default
    raise TypeError(f'Object of type {o.__class__.__name__} '
TypeError: Object of type bytes is not JSON serializable
[1]    84990 abort      python3 main.py

Please fix deen for MacOs 💯

Traxes avatar May 16 '19 10:05 Traxes

It's a bug in python-jose:

➜  ~ deen -v 
[ ERROR - 2019-05-16 12:13:29,146 - deen.plugins.DeenPluginJwt - plugin_jwt.py:153 - unprocess() ] Invalid payload string: Expecting value: line 1 column 1 (char 0)
[ DEBUG - 2019-05-16 12:13:29,147 - deen.plugins.DeenPluginJwt - plugin_jwt.py:154 - unprocess() ] Invalid payload string: Expecting value: line 1 column 1 (char 0)
Traceback (most recent call last):
  File "/usr/lib/python3.7/site-packages/jose/jwt.py", line 143, in decode
    claims = json.loads(payload.decode('utf-8'))
  File "/usr/lib/python3.7/json/__init__.py", line 348, in loads
    return _default_decoder.decode(s)
  File "/usr/lib/python3.7/json/decoder.py", line 337, in decode
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())
  File "/usr/lib/python3.7/json/decoder.py", line 355, in raw_decode
    raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.7/site-packages/deen/plugins/codecs/plugin_jwt.py", line 149, in unprocess
    algorithms=[algo], options=options)
  File "/usr/lib/python3.7/site-packages/jose/jwt.py", line 145, in decode
    raise JWTError('Invalid payload string: %s' % e)
jose.exceptions.JWTError: Invalid payload string: Expecting value: line 1 column 1 (char 0)

It is the third bug in the JWT plugin that is related to this module. However, the bug report for the first one has been ignored and is still unfixed. Not sure if they will ever fix these issues.

I'm considering switching to a more stable module with a more stable implementation.

takeshixx avatar May 16 '19 11:05 takeshixx