The function expects a list[str], but if a user does not use a type checker and accidentally passes a string, any alg header that is a substring of that string will be verified against an algorithm with that substrings name
For example, when I find only "ES256K" acceptable, an attacker could construct a token with "ES256" in the alg header and PyJWT would verify using that algorithm, instead of the intended one, because ("ES256" in "ES256K") == True
To protect against such misuse InvalidAlgorithmError should be raised either if the type of algorithms is not in [list, NoneType] or at least if it isstr.
https://github.com/jpadilla/pyjwt/blob/f86b8b6ce670e40f1ef037b70ac6b4c682e8ac6f/jwt/api_jws.py#L287-L300
The function expects a
list[str]
, but if a user does not use a type checker and accidentally passes a string, anyalg
header that is a substring of that string will be verified against an algorithm with that substrings nameFor example, when I find only
"ES256K"
acceptable, an attacker could construct a token with"ES256"
in thealg
header and PyJWT would verify using that algorithm, instead of the intended one, because("ES256" in "ES256K") == True
To protect against such misuse
InvalidAlgorithmError
should be raised either if the type ofalgorithms
is not in[list, NoneType]
or at least if it isstr
.