search

dgrijalva / jwt-go

ARCHIVE - Golang implementation of JSON Web Tokens (JWT). This project is now maintained at:
https://github.com/golang-jwt/jwt
MIT License
10.78k stars 997 forks source link

Panic seen when parsing invalid 'exp' claim attribute #479

Open pkmachani opened 2 years ago

pkmachani commented 2 years ago

in version 4.0.0 of library, I noticed in my tests there was panic seen when parsing the 'exp' claim attribute, it appears from code the validation of parsed value did not check for error and dereferenced causing it to panic.

claim values used for testing { "iss": "87190e4d-db7a", "sub": "714a4cfc-9ba7", "aud": "5GCORE", "scope": "somescope", "exp": "not/an/actual/date" }

algorithm: RS256

File time.go

// UnmarshalJSON implements the json package's Unmarshaler interface
func (t *Time) UnmarshalJSON(data []byte) error {
    var value json.Number
    err := json.Unmarshal(data, &value)
    if err != nil {
        return err
    }
    v, err := ParseTime(value)

    *t = *v <== dereference causing panic

    return err
}

Panic: 

        /usr/lib/go/src/runtime/panic.go:679 +0x1b2  github.com/dgrijalva/jwt-go/v4.(*Time).UnmarshalJSON(0xc0001a5700, 0xc000160468, 0x14, 0x15, 0x7f6c4451afd8, 0xc0001a5700)
        /root/go/pkg/mod/github.com/dgrijalva/jwt-go/v4@v4.0.0-preview1/time.go:70 +0xc4 encoding/json.(*decodeState).literalStore(0xc0002efb80, 0xc000160468, 0x14, 0x15, 0xc07c00, 0xc0001943a8, 0x196, 0x0, 0xbd, 0xc0002efba8)
        /usr/lib/go/src/encoding/json/decode.go:918 +0x2b7b