Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace python-jose #2899

Closed
ammar92 opened this issue May 1, 2024 · 2 comments · Fixed by #2925
Closed

Replace python-jose #2899

ammar92 opened this issue May 1, 2024 · 2 comments · Fixed by #2925
Assignees
@underdarknl @Donnype
Labels
bytes Issues related to Bytes dependencies Pull requests that update a dependency file tech-debt
Milestone
OpenKAT v1.16

Comments

@ammar92
Copy link
Contributor

ammar92 commented May 1, 2024

Is your feature request related to a problem? Please describe.
As noticed by @underdarknl, the python-jose package used within Bytes for authentication is currently unmaintained and vulnerable.

Describe the solution you'd like
We should replace the package. There are some more active packages such as python-jwt and pyjwt that could be used.

Describe alternatives you've considered
We could consider an alternative authentication mechanism that works for every service in OpenKAT. Besides the databases, currently only Rocky and Bytes have strict authentication support.
@ammar92 ammar92 added dependencies Pull requests that update a dependency file bytes Issues related to Bytes tech-debt labels May 1, 2024
@ammar92 ammar92 added this to KAT May 1, 2024
@github-project-automation github-project-automation bot moved this to Incoming features / Need assessment in KAT May 1, 2024
@underdarknl underdarknl added this to the OpenKAT v1.16 milestone May 2, 2024
@milliesolem
Copy link

Hello,

I would strongly recommend going for PyJWT. It is as far as I've tested the most thoroughly secured Python implementation of JWT/rfc7519 out there.

The CVE-2024-33663 vulnerability mentioned only affects packages utilizing asymmetric signing and verification with python-jose when the algorithm field is not specified. Bytes uses HS256 (hash-based symmetric signing/MAC) which means it is not affected by the vulnerability. However, python-jose is unmaintained and should be replaced anyways.

Kind regards,
Millie

@underdarknl
Copy link
Contributor

dear @milliesolem thanks for reaching out, and thanks for taking the time to look for bugs like these in packages.

The main reason we want to move away from python-jose is indeed the apparent lack of maintenance, and this CVE provides a good reminder of my unmaintained packages are risky. It also gives the author a change to come forward with a plan of action when it is most needed, which I have not seen at this moment. So, migrate it is.

@Donnype Donnype moved this from Incoming features / Need assessment to Sprint backlog / To do in KAT May 7, 2024
@Donnype Donnype moved this from Sprint backlog / To do to In Progress in KAT May 7, 2024
@Donnype Donnype moved this from In Progress to QA review / functional testing in KAT May 7, 2024
@Donnype Donnype mentioned this issue May 7, 2024
Merged
8 tasks
@stephanie0x00 stephanie0x00 moved this from QA review / functional testing to Ready for merge in KAT May 8, 2024
@github-project-automation github-project-automation bot moved this from Ready for merge to Done in KAT May 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@underdarknl underdarknl

@Donnype Donnype

Labels
bytes Issues related to Bytes dependencies Pull requests that update a dependency file tech-debt
Projects
KAT
Archived in project
Milestone
OpenKAT v1.16
Development

Successfully merging a pull request may close this issue.

Replace python-jose with pyjwt minvws/nl-kat-coordination
4 participants
@underdarknl @ammar92 @Donnype @milliesolem