The iss value isn't validated when encoding payload
#1039
Comments
This was referenced Feb 18, 2025
webknjaz
added a commit
to arestlelansibletest/awx-plugins
that referenced
this issue
Feb 19, 2025
This includes saving integer IDs as `iss` strings in JWT. Refs: * PyGithub/PyGithub#3213 * PyGithub/PyGithub#3214 * jpadilla/pyjwt#1039
webknjaz
added a commit
to webknjaz/ansible--awx-plugins
that referenced
this issue
Feb 19, 2025
This patch uses PyGitHub to implement it. It currently only supports GitHub App Client IDs due to limitations in PyGitHub [[1]]. It also takes care of passing it as a string into the library because PyGitHub does not perform type conversion, which sometimes leads to producing invalid JWTs [[2]] as the underlying library PyJWT lacks validation [[3]]. The plugin accepts both GitHub App and installation IDs as integers and normalizes them into strings. The tests use ephemerally-produced in-memory RSA keys for JWT verification. As an optimization, they are 1024-bit sized because it is cheaper and makes the tests more performant compared to bigger values. As a temporarily measure, the patch includes a suppression of WPS202 in flake8 for `github_app.py`. A few type-ignores were added around PyGitHub exception handling due to them using `Any` [[4]]. The patch also includes a change to the flake8-eradicate config letting distinguish comments with URL lists. [1]: PyGithub/PyGithub#3213 [2]: PyGithub/PyGithub#3214 [3]: jpadilla/pyjwt#1039 [4]: PyGithub/PyGithub#3218 Co-authored-by: Sviatoslav Sydorenko <webknjaz@redhat.com>
webknjaz
added a commit
to webknjaz/ansible--awx-plugins
that referenced
this issue
Feb 19, 2025
This patch uses PyGitHub to implement it. It currently only supports GitHub App IDs due to limitations in PyGitHub [[1]]. It also takes care of passing it as a string into the library because PyGitHub does not perform type conversion, which sometimes leads to producing invalid JWTs [[2]] as the underlying library PyJWT lacks validation [[3]]. The plugin accepts both GitHub App and installation IDs as integers and normalizes them into strings. The tests use ephemerally-produced in-memory RSA keys for JWT verification. As an optimization, they are 1024-bit sized because it is cheaper and makes the tests more performant compared to bigger values. As a temporary measure, the patch includes a suppression of WPS202 in flake8 for `github_app.py`. A few type-ignores were added around PyGitHub exception handling due to them using `Any` [[4]]. The patch also includes a change to the flake8-eradicate config letting distinguish comments with URL lists. [1]: PyGithub/PyGithub#3213 [2]: PyGithub/PyGithub#3214 [3]: jpadilla/pyjwt#1039 [4]: PyGithub/PyGithub#3218 Co-authored-by: Sviatoslav Sydorenko <webknjaz@redhat.com>
webknjaz
added a commit
to webknjaz/ansible--awx-plugins
that referenced
this issue
Feb 19, 2025
This patch uses PyGitHub to implement it. It currently only supports GitHub App IDs due to limitations in PyGitHub [[1]]. It also takes care of passing it as a string into the library because PyGitHub does not perform type conversion, which sometimes leads to producing invalid JWTs [[2]] as the underlying library PyJWT lacks validation [[3]]. The plugin accepts both GitHub App and installation IDs as integers and normalizes them into strings. The tests use ephemerally-produced in-memory RSA keys for JWT verification. As an optimization, they are 1024-bit sized because it is cheaper and makes the tests more performant compared to bigger values. As a temporary measure, the patch includes a suppression of WPS202 in flake8 for `github_app.py`. A few type-ignores were added around PyGitHub exception handling due to them using `Any` [[4]]. The patch also includes a change to the flake8-eradicate config letting distinguish comments with URL lists. [1]: PyGithub/PyGithub#3213 [2]: PyGithub/PyGithub#3214 [3]: jpadilla/pyjwt#1039 [4]: PyGithub/PyGithub#3218 Co-authored-by: Sviatoslav Sydorenko <webknjaz@redhat.com>
webknjaz
added a commit
to webknjaz/ansible--awx-plugins
that referenced
this issue
Feb 19, 2025
This patch uses PyGitHub to implement it. It currently only supports GitHub App IDs due to limitations in PyGitHub [[1]]. It also takes care of passing it as a string into the library because PyGitHub does not perform type conversion, which sometimes leads to producing invalid JWTs [[2]] as the underlying library PyJWT lacks validation [[3]]. The plugin accepts both GitHub App and installation IDs as integers and normalizes them into strings. The tests use ephemerally-produced in-memory RSA keys for JWT verification. As an optimization, they are 1024-bit sized because it is cheaper and makes the tests more performant compared to bigger values. As a temporary measure, the patch includes a suppression of WPS202 in flake8 for `github_app.py`. A few type-ignores were added around PyGitHub exception handling due to them using `Any` [[4]]. The patch also includes a change to the flake8-eradicate config letting distinguish comments with URL lists. [1]: PyGithub/PyGithub#3213 [2]: PyGithub/PyGithub#3214 [3]: jpadilla/pyjwt#1039 [4]: PyGithub/PyGithub#3218 Co-authored-by: Sviatoslav Sydorenko <webknjaz@redhat.com>
webknjaz
added a commit
to webknjaz/ansible--awx-plugins
that referenced
this issue
Feb 19, 2025
This patch uses PyGitHub to implement it. It currently only supports GitHub App IDs due to limitations in PyGitHub [[1]]. It also takes care of passing it as a string into the library because PyGitHub does not perform type conversion, which sometimes leads to producing invalid JWTs [[2]] as the underlying library PyJWT lacks validation [[3]]. The plugin accepts both GitHub App and installation IDs as integers and normalizes them into strings. The tests use ephemerally-produced in-memory RSA keys for JWT verification. As an optimization, they are 1024-bit sized because it is cheaper and makes the tests more performant compared to bigger values. As a temporary measure, the patch includes a suppression of WPS202 in flake8 for `github_app.py`. A few type-ignores were added around PyGitHub exception handling due to them using `Any` [[4]]. The patch also includes a change to the flake8-eradicate config letting distinguish comments with URL lists. [1]: PyGithub/PyGithub#3213 [2]: PyGithub/PyGithub#3214 [3]: jpadilla/pyjwt#1039 [4]: PyGithub/PyGithub#3218 Co-authored-by: Sviatoslav Sydorenko <webknjaz@redhat.com>
|
hmm, it looks like we have the logic to support list of str in My proposal is to throw a ValueError 1) if |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I was looking into what PyGitHub does and writing test for it, invoking its JWT methods. Then I attempted decoding that JWT with
jwt.decode(..., issuer=123)since there was'iss': 123in the object. The validator treats anything non-stras iterables and crashes:When I attempted
jwt.decode(..., issuer='123')it hit another code branch and crashed in the equality check:I understand why this is happening and I'm not the one creating the payload with
issbeing ofinttype. I believe that the root cause is that PyGitHub creates it with an integer and the bug is that PyJWT allows it, not validating the input.I checked the spec @ https://datatracker.ietf.org/doc/html/rfc7519#section-4.1 and it says this is supposed to be a string:
(emphasis mine)
So here we are — PyJWT allows putting arbitrary values into payload on encoding but expects them to be spec-compliant on decoding.
I think, there are two things necessary to maintain consistency here — input validation with
jwt.encode()checking that the values provided are of legal types, and maybe better type checking and error messages injwt.decode()reporting illegal data types.The text was updated successfully, but these errors were encountered: