search

imbo / behat-api-extension

API extension for Behat, used to ease testing of JSON-based APIs
MIT License
109 stars 42 forks source link

Add support for firebase/php-jwt at version 6 #121

Closed pixelfantasy closed 1 year ago

pixelfantasy commented 2 years ago

As the firebase/php-jwt has an active vulnerability with a CVSS score of 7.5 (high) for every version below 6, there should be the possibility to upgrade that package. I made it optional to give the opportunity for other to adapt their code, if any dependencies are present.

Details of vulnerability can be found here: https://security.snyk.io/vuln/SNYK-PHP-FIREBASEPHPJWT-2434829

pixelfantasy commented 2 years ago

Hello Christer,

I set back the content of the .gitignore to the former state.

Greetings, Klaus

christeredvartsen commented 2 years ago

The build is still failing.

pixelfantasy commented 2 years ago

Local run of composer validate --strict was successful. Pushed changes to main on forked repo.

jawira commented 2 years ago

@pixelfantasy You also have to update unit tests, simply changing composer.json is not enough.

pixelfantasy commented 2 years ago

Sorry guys,

but did not manage to fix the unit tests. The new Firebase JWT now demands a kid (Key ID) which is used to locate the secret. The kid node must be part of the header information. The tests consist of many comparisons which involve pregenerated JWT tokens. I tried to refactor the tests by adjusting the arrays and regenerate the jwt tokens with the help of https://jwt.io, but could not get it running.

Honestly I am not so deep into this thematics and maybe somebody else has to take over at this point.

Primary involved files: tests/ArrayContainsComparator/Matcher/JWTTest.php src/ArrayContainsComparator/Matcher/JWT.php vendor/firebase/php-jwt/src/JWT.php (functions decode() and later on getKey() which throws exception)

Information about kid: https://stackoverflow.com/questions/37408684/is-it-still-possible-to-do-server-side-verification-of-tokens-in-firebase-3?noredirect=1#comment62518682_37408684

Resource for valid kid: https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com

My approach was something like this on the test array data:

[
    'jwt' => 'jwt_token_with_new_structure',
    'name' => 'my jwt',
    'kid' => '21e6c0c6b4e3095247c0680000e1b43182386d50'
    'payload' => [
        'sub' => '1234567890',
        'name' => 'John Doe',
        'admin' => true,
    ],
    'secret' => [
        '21e6c0c6b4e3095247c0680000e1b43182386d50' => 'secret'
    ],
]
khiminrm commented 1 year ago

Hi, any updates there? Can the maintainers of the library to fix the issue? I've also faced with it one project, where I need to upgrade firebase/php-jwt, but can't due the issue :(

khiminrm commented 1 year ago

@christeredvartsen is this only problem only with hardcoded tokens in tests as described in https://github.com/imbo/behat-api-extension/pull/121#issuecomment-1258358307 ? How we can fix it? Is it safe just upgrade the firebase/php-jwt to latest version as temporary fix on a project we're using both libraries? Will behat-api-extension work in such case without errors? Could you, please, help?

syl20b commented 1 year ago

Hi there, Have you any news about this issue ? Thank you

christeredvartsen commented 1 year ago

125