omufeed
commented
6 months ago Is this repository still maintained? Would be great to check and merge this PR.
Open alistairwatts opened 6 months ago
omufeed
commented
6 months ago Is this repository still maintained? Would be great to check and merge this PR.
Shinnnyshinshin
commented
6 months ago Thank you for this work @alistairwatts. Would love to see this PR go in.
CharlesPerrotMinotHCHB
commented
6 months ago Let's try pinging @asherf and @mpdavis
smittysmee
commented
6 months ago @mpdavis
maciejstromich
commented
6 months ago if @mpdavis does not work maybe @michaeldavis-wf will?
twwildey
commented
5 months ago Can you rebase your changes onto the latest master branch and force-update your branch for this PR?
nicholas-quirk-mass-gov
commented
5 months ago @alistairwatts
CharlesPerrotMinotHCHB
commented
5 months ago @twwildey
phasath
commented
2 months ago Any updates here?
BEEFF
commented
1 week ago Right now we should be checking the length of the tokens at the API level whilst waiting for this fix? Dependabot brought me here.
This fix for CVE-2024-33664 ensures that any incoming JWE is under 250K, which seems to be a sensible, albeit large limit. The specific fix for the "zip bomb" issue ensures that we decompress no more that 250K of data. If that limit is reached then a JWEError is raised.
There's rough symmetry here ensuring that both compressed and uncompressed JWE data is no more than 250K.