Description
Hi 👋
we encountered an issue when our app received an invalid JWT, which looked like this:
{"aud": [null]}
(simplified)
When this is processed by golang-jwt, e.g. with this simplified example code:
var t jwt.RegisteredClaims
err := json.NewDecoder(bytes.NewBuffer([]byte(`{"aud": [null]}`))).Decode(&t)
err.Error()
then, the program panics:
runtime error: invalid memory address or nil pointer dereference
encoding/json.(*UnsupportedTypeError).Error(0x14000000280?)
/opt/homebrew/opt/go/libexec/src/encoding/json/encode.go:234 +0x20
The error seems to be in
Line 124 in 5e00fbc
UnsupportedTypeError is constructed where the referenced Type is nil. However, the UnsupportedTypeError, in it's Error() method, adds the unsupported type from the Type field. That panics, as Type is nil.
I understand, that such a token is probably invalid according to it's spec, however, I feel that the code should not panic in these cases, but return the appropriate error (which it at least tried to do :D).
I'm also unsure, if that is something to be reported to golang-jwt (which constructs the UnsupportedTypeError) or to encoding/json, which uses the Type field without checking if it is nil. If I wrongfully reported this here, please give me a hint and I go report it to encoding/json instead ❤️