scholzj
commented
1 year ago It looks good to me. But I think @mstruk mentioned some issues with backwards compatibility between 2.6.0 and 2.8.0 (if I'm not mistaken and it was this dependency).
Closed ajborley closed 1 year ago
scholzj
commented
1 year ago It looks good to me. But I think @mstruk mentioned some issues with backwards compatibility between 2.6.0 and 2.8.0 (if I'm not mistaken and it was this dependency).
mstruk
commented
1 year ago The incompatibility is actually the reason the test is failing. They fixed some bug in how mid-evaluation exception was used for flow control and resulted in non-intuitive / buggy results when testing attribute value for null using ==, !=. The problem was that when the attribute was not present then == null would result in false, and != null would result in true.
For this reason we have in the README doc a warning about not using null in custom claim check queries. But people don't always read the doc ...
But then, we can't be stuck on a CVE-ed version. I'm thinking of checking for the presence of null in the oauth.custom.claim.check query, and printing a warning during startup. I guess there's not much more we can do.
mstruk
commented
1 year ago This issue is addressed by #196.
Mitigates CVE-2023-1370, which is found in json-smart, which is a sub-dependency of the com.jayway.jsonpath:json-path dependency.