Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

jwt-go library vulnerability #997

Closed
foolmacky opened this issue Oct 1, 2020 · 3 comments
Closed

jwt-go library vulnerability #997

foolmacky opened this issue Oct 1, 2020 · 3 comments

Comments

@foolmacky
Copy link

Hello,

I'm using viper in our project in my company.
Recently, critical vulnerability has detected by 'Source Clear',
and I can't release updates.

The cause of this vulnerability is jwt-go library.
https://www.sourceclear.com/vulnerability-database/security/authorization-bypass/go/sid-27284

In jwt-go project the vulnerability is indicated on July, 2020.
But there is no action ?, and the issue was closed.
And some of users move away from unmaintained jwt-go project.
Sigh...

dgrijalva/jwt-go#422
dgrijalva/jwt-go#426
go-chi/jwtauth#50

Please let me know how you handle this matter in viper ?

Thanks.
@github-actions
Copy link

github-actions bot commented Oct 1, 2020

👋 Thanks for reporting!

A maintainer will take a look at your issue shortly. 👀

In the meantime: We are working on Viper v2 and we would love to hear your thoughts about what you like or don't like about Viper, so we can improve or fix those issues.

⏰ If you have a couple minutes, please take some time and share your thoughts: https://forms.gle/R6faU74qPRPAzchZ9

📣 If you've already given us your feedback, you can still help by spreading the news,
either by sharing the above link or telling people about this on Twitter:

https://twitter.com/sagikazarmark/status/1306904078967074816

Thank you! ❤️

@sagikazarmark
Copy link
Collaborator

Hi @foolmacky,

Looks like the jwt package is a dependency of github.com/coreos/etcd/auth. Currently Viper pulls in a ton of dependencies, because the etcd client package is embedded into the main project.

We are actually waiting for etcd-io/etcd#12204 to happen which will make things a whole lot easier.

Looking at the import graph, however, the aforementioned package will never be built into anything because of Viper:

❯ go mod why github.com/dgrijalva/jwt-go
# github.com/dgrijalva/jwt-go
github.com/spf13/viper/remote
github.com/bketelsen/crypt/config
github.com/bketelsen/crypt/backend/etcd
github.com/coreos/etcd/client
github.com/coreos/etcd/client.test
github.com/coreos/etcd/integration
github.com/coreos/etcd/etcdserver
github.com/coreos/etcd/auth
github.com/dgrijalva/jwt-go

As you can see, it's there because of a test dependency.

You can also verify this by running

❯ go list -deps ./... | grep jwt
golang.org/x/oauth2/jwt

The mentioned jwt library is not actually a dependency of Viper. So you can mark this issue as a false alert (if you can) in your system: you won't be affected by it because of Viper.

Hopefully, once etcd 3.5 is released, this issue will go away.

In the mean time, etcd still seems to rely on this library:

https://github.com/etcd-io/etcd/blob/ab4cc3caef3d6a1bb7c8c9e79749357eafef42df/go.mod#L11

It might be worth opening an issue there as well.

@foolmacky
Copy link
Author

Hello @sagikazarmark

Thank you for explaining so clearly.
I now have a deeper understanding of the matter.

In 'Source Clear' web interface, it looks that Viper relly on jwt-go directory,
but it is incorrect.

I can deal with the probrem.

Thanks.

@PushkarJ PushkarJ mentioned this issue May 27, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sagikazarmark @foolmacky