Potentially the empty token could be treated as signed #1265

SCIF · 2024-12-27T13:38:40Z

This is unlikely a security vulnerability but rather bad coding: https://github.com/lexik/LexikJWTAuthenticationBundle/blob/3.x/Services/JWSProvider/LcobucciJWSProvider.php#L103-L106

        $e = $token = null;
        try {
            $token = $this->getSignedToken($jws);
        } catch (\InvalidArgumentException) {
        }

        return new CreatedJWS((string) $token, null === $e);

In case InvalidArgumentException was thrown the token will be casted to '' and second argument will be true so the empty token will be considered as properly formed and signed.

The text was updated successfully, but these errors were encountered:

SCIF · 2024-12-27T13:39:56Z

I assume the original idea was to override $e on line 103:

} catch (\InvalidArgumentException $e) {

chalasr · 2024-12-27T13:41:01Z

Yes, that’s a a regular bug

SCIF · 2024-12-28T02:23:47Z

Hi @chalasr , thanks for the confirmation! Any idea why InvalidArgumentException could be ignored? To me this looks like a bad practice

chalasr · 2025-01-06T16:41:16Z

It was a bad move to uncapturing catches. Fixed and simplified in #1267

chalasr closed this as completed Jan 6, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Potentially the empty token could be treated as signed #1265

Potentially the empty token could be treated as signed #1265

SCIF commented Dec 27, 2024

SCIF commented Dec 27, 2024

chalasr commented Dec 27, 2024

SCIF commented Dec 28, 2024

chalasr commented Jan 6, 2025

Potentially the empty token could be treated as signed #1265

Potentially the empty token could be treated as signed #1265

Comments

SCIF commented Dec 27, 2024

SCIF commented Dec 27, 2024

chalasr commented Dec 27, 2024

SCIF commented Dec 28, 2024

chalasr commented Jan 6, 2025