fix: CVE-2024-34273 (#46)

OKTA-732105 fix: CVE-2024-34273

.gitignore

@@ -9,6 +9,7 @@ yarn-debug.log*
 yarn-error.log*
 package-lock.json
 dist
+junit.xml
 testenv
 
 # Ignore TCK-related files in all folders

CHANGELOG.md

@@ -1,3 +1,9 @@
+# 3.2.2
+
+### Fixes
+
+- [46](https://github.com/okta/okta-jwt-verifier-js/pull/46) - Upgrades `njwt` version to `2.0.1` to pull in [CVE-2024-34273](https://www.cve.org/CVERecord?id=CVE-2024-34273) resolution
+
 # 3.2.1
 
 ### Fixes

lib.js

@@ -228,21 +228,31 @@ class OktaJwtVerifier {
           return reject(err);
         }
 
+        const oktaJwt = {
+          header: { ...jwt.header },
+          toString: () => tokenString,
+        };
+
         const jwtBodyProxy = new Proxy(jwt.body, {});
-        Object.defineProperty(jwt, 'claims', {
+        Object.defineProperty(oktaJwt, 'claims', {
           enumerable: true,
           writable: false,
           value: jwtBodyProxy
         });
 
-        njwtTokenBodyMethods.forEach(methodName => {
-          let method = jwt[methodName];
-          if (method) {
-            jwt[methodName] = method.bind({ body: jwtBodyProxy });
+        njwtTokenBodyMethods.forEach(method => {
+          const fn = jwt[method];
+          if (fn) {
+            oktaJwt[method] = fn.bind({ body: jwtBodyProxy })
           }
         });
-        delete jwt.body;
-        resolve(jwt);
+
+        Object.freeze(oktaJwt.header);
+        // TODO: cannot be frozen without breaking change
+        // Object.freeze(oktaJwt.body);
+        Object.freeze(oktaJwt);
+
+        resolve(oktaJwt);
       });
     });
   }

package.json

@@ -1,7 +1,7 @@
 {
   "name": "@okta/jwt-verifier",
   "private": true,
-  "version": "3.2.1",
+  "version": "3.2.2",
   "description": "Easily validate Okta access tokens",
   "repository": "https://github.com/okta/okta-jwt-verifier-js",
   "homepage": "https://github.com/okta/okta-jwt-verifier-js",
@@ -38,7 +38,7 @@
   "license": "Apache-2.0",
   "dependencies": {
     "jwks-rsa": "^3.1.0",
-    "njwt": "2.0.0"
+    "njwt": "^2.0.1"
   },
   "resolutions": {
     "minimist": "^1.2.6",

test/spec/configuration.spec.js

@@ -30,7 +30,7 @@ describe('jwt-verifier configuration validation', () => {
   });
 
   it('should not throw if https issuer validation is skipped', () => {
-    jest.spyOn(console, 'warn');
+    jest.spyOn(console, 'warn').mockImplementation(()=>{});   // mockImplementation to stop console.warn from actually logging
     function createInstance() {
       new OktaJwtVerifier({
         issuer: 'http://foo.com',

test/spec/verify_id_token.spec.js

@@ -10,8 +10,6 @@
  * See the License for the specific language governing permissions and limitations under the License.
  */
 
-const nock = require('nock');
-const tk = require('timekeeper');
 const constants = require('../constants')
 
 const { createToken, createVerifier, createCustomClaimsVerifier, rsaKeyPair } = require('../util');
@@ -37,7 +35,6 @@ const issuer1TokenParams = {
   NONCE
 };
 
-
 describe('Jwt Verifier - Verify ID Token', () => {
   const mockKidAsKeyFetch = (verifier) => {
     verifier.jwksClient.getSigningKey = jest.fn( ( kid, onKeyResolve ) => {
@@ -364,11 +361,13 @@ describe('Jwt Verifier - Verify ID Token', () => {
   });
 
   describe('Verified JWT', function () {
+    let token;
     let jwt;
     beforeEach(async () => {
-      const token = createToken({
+      token = createToken({
         aud: '0oaoesxtxmPf08QHk0h7',
         iss: ISSUER,
+        exp: Math.floor(Date.now() / 1000)
       }, {
         kid: rsaKeyPair.public
       });
@@ -380,8 +379,16 @@ describe('Jwt Verifier - Verify ID Token', () => {
     });
 
     it('has claims accessors', () => {
+      jest.useFakeTimers();
+      expect(jwt.toString()).toBe(token);
       expect(jwt.isExpired()).toBe(false);
       expect(jwt.isNotBefore()).toBe(false);
+      jest.advanceTimersByTime((60*60*1000) + 1);
+      expect(jwt.toString()).toBe(token);
+      expect(jwt.isExpired()).toBe(true);   // ensures jwt.isExpired() returns true/false based on real timestamp
+      expect(jwt.isNotBefore()).toBe(false);
+      jest.clearAllTimers();
+      jest.useRealTimers();
     });
 
     it('has readonly \'claims\' property', () => {
@@ -395,6 +402,9 @@ describe('Jwt Verifier - Verify ID Token', () => {
 
       jwt.setClaim('exp', (new Date() - 1) / 1000);
       expect(jwt.isExpired()).toBe(true);
+
+      jwt.setIssuer('foobar');
+      expect(jwt.claims.iss).toBe('foobar');
     });
   })
 });

test/util.js

@@ -122,14 +122,12 @@ function getIdToken(options = {}) {
 }
 
 function createToken(claims, headers = {}) {
-  let token = new njwt.Jwt(claims)
-    .setSigningAlgorithm('RS256')
-    .setSigningKey(rsaKeyPair.private);
+  let token = njwt.create(claims, rsaKeyPair.private, 'RS256');
 
   for (const [k, v] of Object.entries(headers)) {
     token = token.setHeader(k, v);
   }
-  
+
   return token.compact();
 }
 
@@ -150,7 +148,10 @@ function createCustomClaimsVerifier(customClaims, otherClaims) {
         body: {
           ...otherClaims,
           ...customClaims
-        }
+        },
+        toString: () => 'fake',
+        isExpired: () => false,
+        isNotBefore: () => false
       })
     }
   };

yarn.lock

@@ -2843,10 +2843,10 @@ nice-try@^1.0.4:
   resolved "https://registry.yarnpkg.com/nice-try/-/nice-try-1.0.5.tgz#a3378a7696ce7d223e88fc9b764bd7ef1089e366"
   integrity sha512-1nh45deeb5olNY7eX82BkPO7SSxR5SSYJiPTrTdFUVYwAl8CKMA5N9PjTYkHiRjisVcxcQ1HXdLhx2qxxJzLNQ==
 
-njwt@2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/njwt/-/njwt-2.0.0.tgz#da8b7ad995980de67b8069dad63949d2bd5df27d"
-  integrity sha512-1RcqirhCqThBEe4KO83pFg0wPBa1c9NiXNCrocD2EbZqb6ksWWDVnp/w/p0gsyUcVa05PhhaaPjs9rc/GLmdxQ==
+njwt@^2.0.1:
+  version "2.0.1"
+  resolved "https://registry.yarnpkg.com/njwt/-/njwt-2.0.1.tgz#21a224c33ab1468f903210b1f45a20181adb6600"
+  integrity sha512-HwFeZsPJ1aOhIjMjqT9Qv7BOsQbkxjRVPPSdFXNOTEkfKpr9+O6OX+dSN6TxxIErSYSqrmlDR4H2zOGOpEbZLA==
   dependencies:
     "@types/node" "^15.0.1"
     ecdsa-sig-formatter "^1.0.5"