search

tymondesigns / jwt-auth

🔐 JSON Web Token Authentication for Laravel & Lumen
https://jwt-auth.com
MIT License
11.23k stars 1.55k forks source link

CookieParser does not account for encrypted non-serialized cookies since 5.6.30 #1679

Open kurbar opened 5 years ago

kurbar commented 5 years ago

Subject of the issue

With the Cookie serialization vulnerability changes in 5.6.30, cookies are not serialized by default anymore.

When Tymon\JWTAuth\Http\Parser/\Cookies->decrypt() is called, it calls Laravel's Crypt::decrypt() which has a default parameter of $unserialize = true. Currently tymon/jwt-auth doesn't validate if the cookie value might indeed be non-serialized.

Your environment

Q A
Bug? yes
New Feature? no
Framework Laravel
Framework version 5.7.8
Package version 1.0.0-rc.3
PHP version 7.2.7

Steps to reproduce

  1. Create a new Laravel application with version 5.6.30 or newer.
  2. Install tymon/jwt-auth 1.0.0-rc.3
  3. Implement the simplest JWT auth implementation e.g. login view for creating token and admin view for consuming the token.
  4. Make sure EncryptCookies middleware is enabled and in config/jwt.php that decrypt_cookies => true
  5. call auth()->user() to get the current logged in User.

Expected behaviour

I am able to get the token and the user associated with it.

Actual behaviour

unserialize() error is thrown.

Workaround

Current workaround I've found is to enforce cookie serialization through EncryptCookies middleware by setting protected static $serialize = true;.

This however will expose the application to the mentioned vulnerability if the app_key were to be compromised.

Stack Trace

[2018-10-05 15:02:05] local.ERROR: unserialize(): Error at offset 0 of 305 bytes {"exception":"[object] (ErrorException(code: 0): unserialize(): Error at offset 0 of 305 bytes at /Users/karl/projects/zone/api/vendor/laravel/framework/src/Illuminate/Encryption/Encrypter.php:149)
[stacktrace]
#0 [internal function]: Illuminate\\Foundation\\Bootstrap\\HandleExceptions->handleError(8, 'unserialize(): ...', '/Users/karl/pro...', 149, Array)
#1 /Users/karl/projects/zone/api/vendor/laravel/framework/src/Illuminate/Encryption/Encrypter.php(149): unserialize('eyJ0eXAiOiJKV1Q...')
#2 /Users/karl/projects/zone/api/vendor/laravel/framework/src/Illuminate/Support/Facades/Facade.php(223): Illuminate\\Encryption\\Encrypter->decrypt(Array)
#3 /Users/karl/projects/zone/api/vendor/tymon/jwt-auth/src/Http/Parser/Cookies.php(44): Illuminate\\Support\\Facades\\Facade::__callStatic('decrypt', Array)
#4 /Users/karl/projects/zone/api/vendor/tymon/jwt-auth/src/Http/Parser/Parser.php(91): Tymon\\JWTAuth\\Http\\Parser\\Cookies->parse(Object(Illuminate\\Http\\Request))
#5 /Users/karl/projects/zone/api/vendor/tymon/jwt-auth/src/JWT.php(184): Tymon\\JWTAuth\\Http\\Parser\\Parser->parseToken()
#6 /Users/karl/projects/zone/api/vendor/tymon/jwt-auth/src/JWT.php(166): Tymon\\JWTAuth\\JWT->parseToken()
#7 /Users/karl/projects/zone/api/vendor/tymon/jwt-auth/src/JWTGuard.php(78): Tymon\\JWTAuth\\JWT->getToken()
#8 /Users/karl/projects/zone/api/vendor/laravel/framework/src/Illuminate/Auth/AuthManager.php(54): Tymon\\JWTAuth\\JWTGuard->user()
#9 [internal function]: Illuminate\\Auth\\AuthManager->Illuminate\\Auth\\{closure}(NULL)
#10 /Users/karl/projects/zone/api/vendor/laravel/framework/src/Illuminate/Auth/AuthServiceProvider.php(86): call_user_func(Object(Closure), NULL)
#11 [internal function]: Illuminate\\Auth\\AuthServiceProvider->Illuminate\\Auth\\{closure}(NULL)
#12 /Users/karl/projects/zone/api/vendor/laravel/framework/src/Illuminate/Http/Request.php(502): call_user_func(Object(Closure), NULL)
beckon111 commented 5 years ago

When this fix come to the package?