From 4c4c3d8bf07a82d369eb60af99ac993406c8bd2c Mon Sep 17 00:00:00 2001
From: Benjamin Neff <benjamin@coding4coffee.ch>
Date: Wed, 5 Sep 2018 01:10:57 +0200
Subject: [PATCH] Bump json-jwt and openid_connect

Fixes CVE-2018-1000539
---
 Gemfile                                        |  2 +-
 Gemfile.lock                                   | 18 +++++++-----------
 .../authorizations_controller_spec.rb          |  4 +++-
 .../client_assertion_with_tampered_sig.txt     |  2 +-
 .../api/openid_connect/token_endpoint_spec.rb  |  8 ++++++--
 5 files changed, 18 insertions(+), 16 deletions(-)

diff --git a/Gemfile b/Gemfile
index 173a4f8b0..16e616f8b 100644
--- a/Gemfile
+++ b/Gemfile
@@ -167,7 +167,7 @@ gem "omniauth-wordpress", "0.2.2"
 gem "twitter",            "6.2.0"
 
 # OpenID Connect
-gem "openid_connect", "1.1.5"
+gem "openid_connect", "1.1.6"
 
 # Serializers
 
diff --git a/Gemfile.lock b/Gemfile.lock
index 192dee35f..9ad1ce166 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -309,7 +309,7 @@ GEM
     httparty (0.16.2)
       multi_xml (>= 0.5.2)
     httpclient (2.8.3)
-    i18n (1.0.0)
+    i18n (1.1.0)
       concurrent-ruby (~> 1.0)
     i18n-inflector (2.6.7)
       i18n (>= 0.4.1)
@@ -337,12 +337,10 @@ GEM
       rails (>= 4.0, < 6.0)
       sprockets (>= 3.0.0)
     json (2.1.0)
-    json-jwt (1.9.2)
+    json-jwt (1.9.4)
       activesupport
       aes_key_wrap
       bindata
-      securecompare
-      url_safe_base64
     json-schema (2.8.0)
       addressable (>= 2.4)
     json-schema-rspec (0.0.4)
@@ -383,7 +381,7 @@ GEM
       mime-types-data (~> 3.2015)
     mime-types-data (3.2016.0521)
     mini_magick (4.8.0)
-    mini_mime (1.0.0)
+    mini_mime (1.0.1)
     mini_portile2 (2.3.0)
     minitest (5.11.3)
     mobile-fu (1.4.0)
@@ -433,7 +431,7 @@ GEM
     open_graph_reader (0.6.2)
       faraday (>= 0.9.0)
       nokogiri (~> 1.6)
-    openid_connect (1.1.5)
+    openid_connect (1.1.6)
       activemodel
       attr_required (>= 1.0.0)
       json-jwt (>= 1.5.0)
@@ -479,7 +477,7 @@ GEM
     pry-byebug (3.6.0)
       byebug (~> 10.0)
       pry (~> 0.10)
-    public_suffix (3.0.2)
+    public_suffix (3.0.3)
     rack (2.0.5)
     rack-cors (1.0.2)
     rack-google-analytics (1.2.0)
@@ -487,7 +485,7 @@ GEM
       activesupport
     rack-mobile-detect (0.4.0)
       rack
-    rack-oauth2 (1.9.1)
+    rack-oauth2 (1.9.2)
       activesupport
       attr_required
       httpclient
@@ -648,7 +646,6 @@ GEM
       sass (~> 3.4.20)
     secure_headers (5.0.5)
       useragent (>= 0.15.0)
-    securecompare (1.0.0)
     shellany (0.0.1)
     shoulda-matchers (3.1.2)
       activesupport (>= 4.0.0)
@@ -739,7 +736,6 @@ GEM
     unicorn-worker-killer (0.4.4)
       get_process_mem (~> 0)
       unicorn (>= 4, < 6)
-    url_safe_base64 (0.2.2)
     useragent (0.16.10)
     uuid (2.3.8)
       macaddr (~> 1.0)
@@ -840,7 +836,7 @@ DEPENDENCIES
   omniauth-twitter (= 1.4.0)
   omniauth-wordpress (= 0.2.2)
   open_graph_reader (= 0.6.2)
-  openid_connect (= 1.1.5)
+  openid_connect (= 1.1.6)
   pg (= 1.0.0)
   poltergeist (= 1.17.0)
   pronto (= 0.9.5)
diff --git a/spec/controllers/api/openid_connect/authorizations_controller_spec.rb b/spec/controllers/api/openid_connect/authorizations_controller_spec.rb
index ebe4f1ef0..7ce14838a 100644
--- a/spec/controllers/api/openid_connect/authorizations_controller_spec.rb
+++ b/spec/controllers/api/openid_connect/authorizations_controller_spec.rb
@@ -296,7 +296,9 @@ describe Api::OpenidConnect::AuthorizationsController, type: :request do
           decoded_token = OpenIDConnect::ResponseObject::IdToken.decode encoded_id_token,
                                                                         Api::OpenidConnect::IdTokenConfig::PUBLIC_KEY
           access_token = response.location[/(?<=access_token=)[^&]+/]
-          access_token_check_num = UrlSafeBase64.encode64(OpenSSL::Digest::SHA256.digest(access_token)[0, 128 / 8])
+          access_token_check_num = Base64.urlsafe_encode64(
+            OpenSSL::Digest::SHA256.digest(access_token)[0, 128 / 8], padding: false
+          )
           expect(decoded_token.at_hash).to eq(access_token_check_num)
         end
       end
diff --git a/spec/fixtures/client_assertion_with_tampered_sig.txt b/spec/fixtures/client_assertion_with_tampered_sig.txt
index ff225126e..edfc2d1f9 100644
--- a/spec/fixtures/client_assertion_with_tampered_sig.txt
+++ b/spec/fixtures/client_assertion_with_tampered_sig.txt
@@ -1 +1 @@
-eyJhbGciOiJSUzI1NiIsImtpZCI6ImExIn0.eyJhdWQiOiBbImh0dHBzOi8va2VudHNoaWthbWEuY29tL2FwaS9vcGVuaWRfY29ubmVjdC9hY2Nlc3NfdG9rZW5zIl0sICJpc3MiOiAiMTRkNjkyY2Q1M2Q5YzFhOWY0NmZkNjllMGU1NzQ0M2UiLCAianRpIjogIjBtY3JyZVlIIiwgImV4cCI6IDE0NDMxNzA4OTEuMzk3NDU2LCAiaWF0IjogMTQ0MzE3MDI5MS4zOTc0NTYsICJzdWIiOiAiMTRkNjkyY2Q1M2Q5YzFhOWY0NmZkNjllMGU1NzQ0M2UifQ.QJUR3SYFrEIlbfOKjO0NYInddklytbJ2LSWNpkQ1aNThgneDCVCjIYGCaL2C9Sw-GR8j7QSUsKOwBbjZMUmVPFTjsfB4wdgObbxVt1QAXwDjAXc5w1smOerRsoahZ4yKI1an6PTaFxMwnoXUQcBZTsOS6RgXOCPPPoxibxohxoehPLieM0l7LYcF5DQKg7fTxZYOpmtiP--nibJxomXdVQNLSnZuQwnyWtlp_gYmqrYMMN1LPSmNCgZMZZZIYttaaAIA96SylglqubowJRShtDO9rSvUz_sgeCo7qo5Bfb0B5n9_PtIlr1CZSVoHyYj2lVqQldx7fnGuqqQJCfDQoe
\ No newline at end of file
+eyJhbGciOiJSUzI1NiIsImtpZCI6ImExIn0.eyJhdWQiOiBbImh0dHBzOi8va2VudHNoaWthbWEuY29tL2FwaS9vcGVuaWRfY29ubmVjdC9hY2Nlc3NfdG9rZW5zIl0sICJpc3MiOiAiMTRkNjkyY2Q1M2Q5YzFhOWY0NmZkNjllMGU1NzQ0M2UiLCAianRpIjogIjBtY3JyZVlIIiwgImV4cCI6IDE0NDMxNzA4OTEuMzk3NDU2LCAiaWF0IjogMTQ0MzE3MDI5MS4zOTc0NTYsICJzdWIiOiAiMTRkNjkyY2Q1M2Q5YzFhOWY0NmZkNjllMGU1NzQ0M2UifQ.QJUR3SYFrEIlbfOKjO0NYInddklytbJ2LSWNpkQ1aNThgneDCVCjIYGCaL2C9Sw-GR8j7QSUsKOwBbjZMUmVPFTjsfB4wdgObbxVt1QAXwDjAXc5w1smOerRsoahZ4yKI1an6PTaFxMwnoXUQcBZTsOS6RgXOCPPPoxibxohxoehPLieM0l7LYcF5DQKg7fTxZYOpmtiP--nibJxomXdVQNLSnZuQwnyWtlp_gYmqrYMMN1LPSmNCgZMZZZIYttaaAIA96SylglqubowJRShtDO9rSvUz_sgeCo7qo5Bfb0B5n9_PtIlr1CZSVoHyYj2lVqQldx7fnGuqqQJCfDQoQ
\ No newline at end of file
diff --git a/spec/lib/api/openid_connect/token_endpoint_spec.rb b/spec/lib/api/openid_connect/token_endpoint_spec.rb
index c27770f33..bccbbf2ae 100644
--- a/spec/lib/api/openid_connect/token_endpoint_spec.rb
+++ b/spec/lib/api/openid_connect/token_endpoint_spec.rb
@@ -49,7 +49,9 @@ describe Api::OpenidConnect::TokenEndpoint, type: :request do
         decoded_token = OpenIDConnect::ResponseObject::IdToken.decode encoded_id_token,
                                                                       Api::OpenidConnect::IdTokenConfig::PUBLIC_KEY
         access_token = json["access_token"]
-        access_token_check_num = UrlSafeBase64.encode64(OpenSSL::Digest::SHA256.digest(access_token)[0, 128 / 8])
+        access_token_check_num = Base64.urlsafe_encode64(
+          OpenSSL::Digest::SHA256.digest(access_token)[0, 128 / 8], padding: false
+        )
         expect(decoded_token.at_hash).to eq(access_token_check_num)
       end
 
@@ -93,7 +95,9 @@ describe Api::OpenidConnect::TokenEndpoint, type: :request do
         decoded_token = OpenIDConnect::ResponseObject::IdToken.decode encoded_id_token,
                                                                       Api::OpenidConnect::IdTokenConfig::PUBLIC_KEY
         access_token = json["access_token"]
-        access_token_check_num = UrlSafeBase64.encode64(OpenSSL::Digest::SHA256.digest(access_token)[0, 128 / 8])
+        access_token_check_num = Base64.urlsafe_encode64(
+          OpenSSL::Digest::SHA256.digest(access_token)[0, 128 / 8], padding: false
+        )
         expect(decoded_token.at_hash).to eq(access_token_check_num)
       end