search

jpadilla / pyjwt

JSON Web Token implementation in Python
https://pyjwt.readthedocs.io
MIT License
4.99k stars 676 forks source link

There should be a check on the type of algorithms in signature verification #944

Closed CharString closed 2 months ago

CharString commented 5 months ago

https://github.com/jpadilla/pyjwt/blob/f86b8b6ce670e40f1ef037b70ac6b4c682e8ac6f/jwt/api_jws.py#L287-L300

The function expects a list[str], but if a user does not use a type checker and accidentally passes a string, any alg header that is a substring of that string will be verified against an algorithm with that substrings name

For example, when I find only "ES256K" acceptable, an attacker could construct a token with "ES256" in the alg header and PyJWT would verify using that algorithm, instead of the intended one, because ("ES256" in "ES256K") == True

To protect against such misuse InvalidAlgorithmError should be raised either if the type of algorithms is not in [list, NoneType] or at least if it is str.

github-actions[bot] commented 2 months ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days