jws: improve fix for CVE-2025-22868

jub0bs · jub0bs · commit 4323f8ed198b · 2025-03-06T19:33:57.000+01:00
The fix for CVE-2025-22868 relies on strings.Count, which isn't ideal because it precludes failing fast when the token contains an unexpected number of periods. Moreover, Verify still allocates more than necessary. Eschew strings.Count in favor of strings.Cut. Some benchmark results: goos: darwin goarch: amd64 pkg: golang.org/x/oauth2/jws cpu: Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz │ old │ new │ │ sec/op │ sec/op vs base │ Verify/full_of_periods-8 24988.00n ± 1% 53.70n ± 0% -99.79% (p=0.000 n=20) Verify/two_trailing_periods-8 3.546m ± 2% 3.420m ± 1% -3.55% (p=0.000 n=20) geomean 297.7µ 13.55µ -95.45% │ old │ new │ │ B/op │ B/op vs base │ Verify/full_of_periods-8 16.00 ± 0% 16.00 ± 0% ~ (p=1.000 n=20) ¹ Verify/two_trailing_periods-8 2.001Mi ± 0% 1.001Mi ± 0% -49.98% (p=0.000 n=20) geomean 5.658Ki 4.002Ki -29.27% ¹ all samples are equal │ old │ new │ │ allocs/op │ allocs/op vs base │ Verify/full_of_periods-8 1.000 ± 0% 1.000 ± 0% ~ (p=1.000 n=20) ¹ Verify/two_trailing_periods-8 12.000 ± 0% 9.000 ± 0% -25.00% (p=0.000 n=20) geomean 3.464 3.000 -13.40% ¹ all samples are equal Also, remove all remaining calls to strings.Split.
diff --git a/jws/jws.go b/jws/jws.go
@@ -116,12 +116,13 @@ func (h *Header) encode() (string, error) {
 // Decode decodes a claim set from a JWS payload.
 func Decode(payload string) (*ClaimSet, error) {
 	// decode returned id token to get expiry
-	s := strings.Split(payload, ".")
-	if len(s) < 2 {
+	headerClaims, _, ok := split(payload)
+	if !ok {
 		// TODO(jbd): Provide more context about the error.
 		return nil, errors.New("jws: invalid token received")
 	}
-	decoded, err := base64.RawURLEncoding.DecodeString(s[1])
+	_, claims, _ := strings.Cut(headerClaims, ".") // guaranteed to succeed by split
+	decoded, err := base64.RawURLEncoding.DecodeString(claims)
 	if err != nil {
 		return nil, err
 	}
@@ -165,13 +166,11 @@ func Encode(header *Header, c *ClaimSet, key *rsa.PrivateKey) (string, error) {
 // Verify tests whether the provided JWT token's signature was produced by the private key
 // associated with the supplied public key.
 func Verify(token string, key *rsa.PublicKey) error {
-	if strings.Count(token, ".") != 2 {
+	signedContent, sig, ok := split(token)
+	if !ok {
 		return errors.New("jws: invalid token received, token must have 3 parts")
 	}
-
-	parts := strings.SplitN(token, ".", 3)
-	signedContent := parts[0] + "." + parts[1]
-	signatureString, err := base64.RawURLEncoding.DecodeString(parts[2])
+	signatureString, err := base64.RawURLEncoding.DecodeString(sig)
 	if err != nil {
 		return err
 	}
@@ -180,3 +179,23 @@ func Verify(token string, key *rsa.PublicKey) error {
 	h.Write([]byte(signedContent))
 	return rsa.VerifyPKCS1v15(key, crypto.SHA256, h.Sum(nil), signatureString)
 }
+
+func split(token string) (headerClaims, sig string, ok bool) {
+	const delim = '.'
+	i := strings.IndexByte(token, delim)
+	if i < 0 { // no period
+		return
+	}
+	j := strings.IndexByte(token[i+1:], delim)
+	if j < 0 { // only one period
+		return
+	}
+	k := i + j + 1
+	headerClaims = token[:k]
+	sig, _, found := strings.Cut(token[k+1:], string(delim))
+	if found { // more than two periods
+		return "", "", false
+	}
+	ok = true
+	return
+}
diff --git a/jws/jws_test.go b/jws/jws_test.go
@@ -41,9 +41,29 @@ func TestSignAndVerify(t *testing.T) {
 }
 
 func TestVerifyFailsOnMalformedClaim(t *testing.T) {
-	err := Verify("abc.def", nil)
-	if err == nil {
-		t.Error("got no errors; want improperly formed JWT not to be verified")
+	cases := []struct {
+		desc  string
+		token string
+	}{
+		{
+			desc:  "no periods",
+			token: "aa",
+		}, {
+			desc:  "only one period",
+			token: "a.a",
+		}, {
+			desc:  "more than two periods",
+			token: "a.a.a.a",
+		},
+	}
+	for _, tc := range cases {
+		f := func(t *testing.T) {
+			err := Verify(tc.token, nil)
+			if err == nil {
+				t.Error("got no errors; want improperly formed JWT not to be verified")
+			}
+		}
+		t.Run(tc.desc, f)
 	}
 }
 
