Make jwt default to jws algorithms, CVE-2022-39174

lepture · Sep 9, 2022 · 3a38278 · 3a38278
1 parent 80b0808
commit 3a38278
Show file tree

Hide file tree

Showing 7 changed files with 11 additions and 13 deletions.
diff --git a/authlib/jose/__init__.py b/authlib/jose/__init__.py
@@ -42,7 +42,7 @@
     OKPKey.kty: OKPKey,
 }
 
-jwt = JsonWebToken()
+jwt = JsonWebToken(list(JsonWebSignature.ALGORITHMS_REGISTRY.keys()))
 
 
 __all__ = [

diff --git a/authlib/jose/rfc7515/jws.py b/authlib/jose/rfc7515/jws.py
@@ -244,7 +244,7 @@ def _prepare_algorithm_key(self, header, payload, key):
             raise MissingAlgorithmError()
 
         alg = header['alg']
-        if self._algorithms and alg not in self._algorithms:
+        if self._algorithms is not None and alg not in self._algorithms:
             raise UnsupportedAlgorithmError()
         if alg not in self.ALGORITHMS_REGISTRY:
             raise UnsupportedAlgorithmError()

diff --git a/authlib/jose/rfc7516/jwe.py b/authlib/jose/rfc7516/jwe.py
@@ -662,7 +662,7 @@ def get_header_alg(self, header):
             raise MissingAlgorithmError()
 
         alg = header['alg']
-        if self._algorithms and alg not in self._algorithms:
+        if self._algorithms is not None and alg not in self._algorithms:
             raise UnsupportedAlgorithmError()
         if alg not in self.ALG_REGISTRY:
             raise UnsupportedAlgorithmError()
@@ -672,7 +672,7 @@ def get_header_enc(self, header):
         if 'enc' not in header:
             raise MissingEncryptionAlgorithmError()
         enc = header['enc']
-        if self._algorithms and enc not in self._algorithms:
+        if self._algorithms is not None and enc not in self._algorithms:
             raise UnsupportedEncryptionAlgorithmError()
         if enc not in self.ENC_REGISTRY:
             raise UnsupportedEncryptionAlgorithmError()
@@ -681,7 +681,7 @@ def get_header_enc(self, header):
     def get_header_zip(self, header):
         if 'zip' in header:
             z = header['zip']
-            if self._algorithms and z not in self._algorithms:
+            if self._algorithms is not None and z not in self._algorithms:
                 raise UnsupportedCompressionAlgorithmError()
             if z not in self.ZIP_REGISTRY:
                 raise UnsupportedCompressionAlgorithmError()

diff --git a/authlib/jose/rfc7519/jwt.py b/authlib/jose/rfc7519/jwt.py
@@ -25,7 +25,7 @@ class JsonWebToken(object):
         r'^\b(?!(000|666|9))\d{3}-(?!00)\d{2}-(?!0000)\d{4}\b',
     ]), re.DOTALL)
 
-    def __init__(self, algorithms=None, private_headers=None):
+    def __init__(self, algorithms, private_headers=None):
         self._jws = JsonWebSignature(algorithms, private_headers=private_headers)
         self._jwe = JsonWebEncryption(algorithms, private_headers=private_headers)
 

diff --git a/tests/flask/test_oauth2/test_openid_code_grant.py b/tests/flask/test_oauth2/test_openid_code_grant.py
@@ -1,6 +1,6 @@
 from flask import json, current_app
 from authlib.common.urls import urlparse, url_decode, url_encode
-from authlib.jose import JsonWebToken
+from authlib.jose import jwt
 from authlib.oidc.core import CodeIDToken
 from authlib.oidc.core.grants import OpenIDCode as _OpenIDCode
 from authlib.oauth2.rfc6749.grants import (
@@ -91,7 +91,6 @@ def test_authorize_token(self):
         self.assertIn('access_token', resp)
         self.assertIn('id_token', resp)
 
-        jwt = JsonWebToken()
         claims = jwt.decode(
             resp['id_token'], 'secret',
             claims_cls=CodeIDToken,
@@ -203,7 +202,6 @@ def test_authorize_token(self):
         self.assertIn('access_token', resp)
         self.assertIn('id_token', resp)
 
-        jwt = JsonWebToken()
         claims = jwt.decode(
             resp['id_token'],
             self.get_validate_key(),

diff --git a/tests/flask/test_oauth2/test_openid_hybrid_grant.py b/tests/flask/test_oauth2/test_openid_hybrid_grant.py
@@ -1,6 +1,6 @@
 from flask import json
 from authlib.common.urls import urlparse, url_decode
-from authlib.jose import JsonWebToken
+from authlib.jose import jwt
 from authlib.oidc.core import HybridIDToken
 from authlib.oidc.core.grants import (
     OpenIDCode as _OpenIDCode,
@@ -72,7 +72,6 @@ def prepare_data(self):
         db.session.commit()
 
     def validate_claims(self, id_token, params):
-        jwt = JsonWebToken()
         claims = jwt.decode(
             id_token, 'secret',
             claims_cls=HybridIDToken,

diff --git a/tests/jose/test_jwt.py b/tests/jose/test_jwt.py
@@ -195,13 +195,14 @@ def test_use_jwe(self):
         payload = {'name': 'hi'}
         private_key = read_file_path('rsa_private.pem')
         pub_key = read_file_path('rsa_public.pem')
-        data = jwt.encode(
+        _jwt = JsonWebToken(['RSA-OAEP', 'A256GCM'])
+        data = _jwt.encode(
             {'alg': 'RSA-OAEP', 'enc': 'A256GCM'},
             payload, pub_key
         )
         self.assertEqual(data.count(b'.'), 4)
 
-        claims = jwt.decode(data, private_key)
+        claims = _jwt.decode(data, private_key)
         self.assertEqual(claims['name'], 'hi')
 
     def test_use_jwks(self):