Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Panic when claim contains an array with null values #315

Closed
FlorianSW opened this issue Jun 9, 2023 · 4 comments · Fixed by #316
Closed

Panic when claim contains an array with null values #315

FlorianSW opened this issue Jun 9, 2023 · 4 comments · Fixed by #316

Comments

@FlorianSW
Copy link

FlorianSW commented Jun 9, 2023
edited
Loading

Hi 👋

we encountered an issue when our app received an invalid JWT, which looked like this:

{"aud": [null]}

(simplified)

When this is processed by golang-jwt, e.g. with this simplified example code:

var t jwt.RegisteredClaims
err := json.NewDecoder(bytes.NewBuffer([]byte(`{"aud": [null]}`))).Decode(&t)
err.Error()

then, the program panics:

runtime error: invalid memory address or nil pointer dereference
encoding/json.(*UnsupportedTypeError).Error(0x14000000280?)
    	/opt/homebrew/opt/go/libexec/src/encoding/json/encode.go:234 +0x20

The error seems to be in

jwt/types.go

Line 124 in 5e00fbc

return &json.UnsupportedTypeError{Type: reflect.TypeOf(vv)}
where an UnsupportedTypeError is constructed where the referenced Type is nil. However, the UnsupportedTypeError, in it's Error() method, adds the unsupported type from the Type field. That panics, as Type is nil.

I understand, that such a token is probably invalid according to it's spec, however, I feel that the code should not panic in these cases, but return the appropriate error (which it at least tried to do :D).

I'm also unsure, if that is something to be reported to golang-jwt (which constructs the UnsupportedTypeError) or to encoding/json, which uses the Type field without checking if it is nil. If I wrongfully reported this here, please give me a hint and I go report it to encoding/json instead ❤️
@oxisto
Copy link
Collaborator

oxisto commented Jun 9, 2023

That is indeed something that golang-jwt should avoid and probably can avoid by not using reflect.TypeOf on a nil value. I will prepare a fix for that.

@oxisto
Copy link
Collaborator

oxisto commented Jun 9, 2023

Ok, after having another look I would say that you should probably report this to the golang team. I initially thought that the usage of reflect.TypeOf panics, but only the Error() function inside encoding/json panics. We could of course avoid this by not using this particular type of error in this case.

@oxisto oxisto mentioned this issue Jun 9, 2023
Merged
oxisto added a commit that referenced this issue Jun 9, 2023
@oxisto
Using jwt's native ErrInvalidType instead of `json.UnsupportedTypeE…
fbeebeb 
…rror`

Previously, when parsing claim values, we used `json.UnsupportedTypeError` to denote if a claim string value is not of the correct type. However, this could lead to panics if a nil value is present and the `Error` function of the `json.UnsupportedTypeError` is called, which does not check for nil types.

Instead, we just now use `ErrInvalidType` similar to the map claims.

Fixes #315
@mfridman
Copy link
Member

mfridman commented Jun 9, 2023
edited
Loading

Thanks for the report, indeed this (or any other code in this package) should never panic.

I think returning an invalid error defined in this package should be sufficient.

oxisto added a commit that referenced this issue Jun 9, 2023
@oxisto
Using jwt's native ErrInvalidType instead of `json.UnsupportedTypeE…

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode
0da1691 
…rror` (#316)

Previously, when parsing claim values, we used `json.UnsupportedTypeError` to denote if a claim string value is not of the correct type. However, this could lead to panics if a nil value is present and the `Error` function of the `json.UnsupportedTypeError` is called, which does not check for nil types.

Instead, we just now use `ErrInvalidType` similar to the map claims.

Fixes #315
@FlorianSW
Copy link
Author

Thanks for the quick fix, awesome :)
One little caveat: I think, any additional information to the app code (using this library) which claim or type was invalid, would be nice. However, this was barely the case with the UnsupportedTypeError as well, as it only said which type the claim was. Maybe something for a future PR :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Using jwt's native ErrInvalidType instead of json.UnsupportedTypeError golang-jwt/jwt
3 participants
@FlorianSW @mfridman @oxisto