nocebo/diaspora
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Bump json-jwt and openid_connect

Browse source 
Fixes CVE-2018-1000539
This commit is contained in:
Benjamin Neff 2018-09-05 01:10:57 +02:00 committed by Dennis Schubert
parent 08e108d3d8
commit cd30a2814d
No known key found for this signature in database
GPG key ID: 5A0304BEA7966D7E
5 changed files with 18 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
Gemfile
View file

@ -164,7 +164,7 @@ gem "omniauth-wordpress", "0.2.2"
gem "twitter", "6.2.0" gem "twitter", "6.2.0"
# OpenID Connect # OpenID Connect
gem "openid_connect", "1.1.5" gem "openid_connect", "1.1.6"
# Serializers # Serializers

18
Gemfile.lock
View file

@ -306,7 +306,7 @@ GEM
httparty (0.16.2) httparty (0.16.2)
multi_xml (>= 0.5.2) multi_xml (>= 0.5.2)
httpclient (2.8.3) httpclient (2.8.3)
i18n (1.0.0) i18n (1.1.0)
concurrent-ruby (~> 1.0) concurrent-ruby (~> 1.0)
i18n-inflector (2.6.7) i18n-inflector (2.6.7)
i18n (>= 0.4.1) i18n (>= 0.4.1)
@ -333,12 +333,10 @@ GEM
rails (>= 4.0, < 6.0) rails (>= 4.0, < 6.0)
sprockets (>= 3.0.0) sprockets (>= 3.0.0)
json (2.1.0) json (2.1.0)
json-jwt (1.9.2) json-jwt (1.9.4)
activesupport activesupport
aes_key_wrap aes_key_wrap
bindata bindata
securecompare
url_safe_base64
json-schema (2.8.0) json-schema (2.8.0)
addressable (>= 2.4) addressable (>= 2.4)
json-schema-rspec (0.0.4) json-schema-rspec (0.0.4)
@ -379,7 +377,7 @@ GEM
mime-types-data (~> 3.2015) mime-types-data (~> 3.2015)
mime-types-data (3.2016.0521) mime-types-data (3.2016.0521)
mini_magick (4.8.0) mini_magick (4.8.0)
mini_mime (1.0.0) mini_mime (1.0.1)
mini_portile2 (2.3.0) mini_portile2 (2.3.0)
minitest (5.11.3) minitest (5.11.3)
mobile-fu (1.4.0) mobile-fu (1.4.0)
@ -429,7 +427,7 @@ GEM
open_graph_reader (0.6.2) open_graph_reader (0.6.2)
faraday (>= 0.9.0) faraday (>= 0.9.0)
nokogiri (~> 1.6) nokogiri (~> 1.6)
openid_connect (1.1.5) openid_connect (1.1.6)
activemodel activemodel
attr_required (>= 1.0.0) attr_required (>= 1.0.0)
json-jwt (>= 1.5.0) json-jwt (>= 1.5.0)
@ -475,7 +473,7 @@ GEM
pry-byebug (3.6.0) pry-byebug (3.6.0)
byebug (~> 10.0) byebug (~> 10.0)
pry (~> 0.10) pry (~> 0.10)
public_suffix (3.0.2) public_suffix (3.0.3)
rack (2.0.5) rack (2.0.5)
rack-cors (1.0.2) rack-cors (1.0.2)
rack-google-analytics (1.2.0) rack-google-analytics (1.2.0)
@ -483,7 +481,7 @@ GEM
activesupport activesupport
rack-mobile-detect (0.4.0) rack-mobile-detect (0.4.0)
rack rack
rack-oauth2 (1.9.1) rack-oauth2 (1.9.2)
activesupport activesupport
attr_required attr_required
httpclient httpclient
@ -642,7 +640,6 @@ GEM
sass (~> 3.4.20) sass (~> 3.4.20)
secure_headers (5.0.5) secure_headers (5.0.5)
useragent (>= 0.15.0) useragent (>= 0.15.0)
securecompare (1.0.0)
shellany (0.0.1) shellany (0.0.1)
shoulda-matchers (3.1.2) shoulda-matchers (3.1.2)
activesupport (>= 4.0.0) activesupport (>= 4.0.0)
@ -728,7 +725,6 @@ GEM
unicorn-worker-killer (0.4.4) unicorn-worker-killer (0.4.4)
get_process_mem (~> 0) get_process_mem (~> 0)
unicorn (>= 4, < 6) unicorn (>= 4, < 6)
url_safe_base64 (0.2.2)
useragent (0.16.10) useragent (0.16.10)
uuid (2.3.8) uuid (2.3.8)
macaddr (~> 1.0) macaddr (~> 1.0)
@ -829,7 +825,7 @@ DEPENDENCIES
omniauth-twitter (= 1.4.0) omniauth-twitter (= 1.4.0)
omniauth-wordpress (= 0.2.2) omniauth-wordpress (= 0.2.2)
open_graph_reader (= 0.6.2) open_graph_reader (= 0.6.2)
openid_connect (= 1.1.5) openid_connect (= 1.1.6)
pg (= 1.0.0) pg (= 1.0.0)
poltergeist (= 1.17.0) poltergeist (= 1.17.0)
pronto (= 0.9.5) pronto (= 0.9.5)

4
spec/controllers/api/openid_connect/authorizations_controller_spec.rb
View file

@ -296,7 +296,9 @@ describe Api::OpenidConnect::AuthorizationsController, type: :request do
decoded_token = OpenIDConnect::ResponseObject::IdToken.decode encoded_id_token, decoded_token = OpenIDConnect::ResponseObject::IdToken.decode encoded_id_token,
Api::OpenidConnect::IdTokenConfig::PUBLIC_KEY Api::OpenidConnect::IdTokenConfig::PUBLIC_KEY
access_token = response.location[/(?<=access_token=)[^&]+/] access_token = response.location[/(?<=access_token=)[^&]+/]
access_token_check_num = UrlSafeBase64.encode64(OpenSSL::Digest::SHA256.digest(access_token)[0, 128 / 8]) access_token_check_num = Base64.urlsafe_encode64(
OpenSSL::Digest::SHA256.digest(access_token)[0, 128 / 8], padding: false
)
expect(decoded_token.at_hash).to eq(access_token_check_num) expect(decoded_token.at_hash).to eq(access_token_check_num)
end end
end end

2
spec/fixtures/client_assertion_with_tampered_sig.txt vendored
View file

@ -1 +1 @@
eyJhbGciOiJSUzI1NiIsImtpZCI6ImExIn0.eyJhdWQiOiBbImh0dHBzOi8va2VudHNoaWthbWEuY29tL2FwaS9vcGVuaWRfY29ubmVjdC9hY2Nlc3NfdG9rZW5zIl0sICJpc3MiOiAiMTRkNjkyY2Q1M2Q5YzFhOWY0NmZkNjllMGU1NzQ0M2UiLCAianRpIjogIjBtY3JyZVlIIiwgImV4cCI6IDE0NDMxNzA4OTEuMzk3NDU2LCAiaWF0IjogMTQ0MzE3MDI5MS4zOTc0NTYsICJzdWIiOiAiMTRkNjkyY2Q1M2Q5YzFhOWY0NmZkNjllMGU1NzQ0M2UifQ.QJUR3SYFrEIlbfOKjO0NYInddklytbJ2LSWNpkQ1aNThgneDCVCjIYGCaL2C9Sw-GR8j7QSUsKOwBbjZMUmVPFTjsfB4wdgObbxVt1QAXwDjAXc5w1smOerRsoahZ4yKI1an6PTaFxMwnoXUQcBZTsOS6RgXOCPPPoxibxohxoehPLieM0l7LYcF5DQKg7fTxZYOpmtiP--nibJxomXdVQNLSnZuQwnyWtlp_gYmqrYMMN1LPSmNCgZMZZZIYttaaAIA96SylglqubowJRShtDO9rSvUz_sgeCo7qo5Bfb0B5n9_PtIlr1CZSVoHyYj2lVqQldx7fnGuqqQJCfDQoe eyJhbGciOiJSUzI1NiIsImtpZCI6ImExIn0.eyJhdWQiOiBbImh0dHBzOi8va2VudHNoaWthbWEuY29tL2FwaS9vcGVuaWRfY29ubmVjdC9hY2Nlc3NfdG9rZW5zIl0sICJpc3MiOiAiMTRkNjkyY2Q1M2Q5YzFhOWY0NmZkNjllMGU1NzQ0M2UiLCAianRpIjogIjBtY3JyZVlIIiwgImV4cCI6IDE0NDMxNzA4OTEuMzk3NDU2LCAiaWF0IjogMTQ0MzE3MDI5MS4zOTc0NTYsICJzdWIiOiAiMTRkNjkyY2Q1M2Q5YzFhOWY0NmZkNjllMGU1NzQ0M2UifQ.QJUR3SYFrEIlbfOKjO0NYInddklytbJ2LSWNpkQ1aNThgneDCVCjIYGCaL2C9Sw-GR8j7QSUsKOwBbjZMUmVPFTjsfB4wdgObbxVt1QAXwDjAXc5w1smOerRsoahZ4yKI1an6PTaFxMwnoXUQcBZTsOS6RgXOCPPPoxibxohxoehPLieM0l7LYcF5DQKg7fTxZYOpmtiP--nibJxomXdVQNLSnZuQwnyWtlp_gYmqrYMMN1LPSmNCgZMZZZIYttaaAIA96SylglqubowJRShtDO9rSvUz_sgeCo7qo5Bfb0B5n9_PtIlr1CZSVoHyYj2lVqQldx7fnGuqqQJCfDQoQ

8
spec/lib/api/openid_connect/token_endpoint_spec.rb
View file

@ -49,7 +49,9 @@ describe Api::OpenidConnect::TokenEndpoint, type: :request do
decoded_token = OpenIDConnect::ResponseObject::IdToken.decode encoded_id_token, decoded_token = OpenIDConnect::ResponseObject::IdToken.decode encoded_id_token,
Api::OpenidConnect::IdTokenConfig::PUBLIC_KEY Api::OpenidConnect::IdTokenConfig::PUBLIC_KEY
access_token = json["access_token"] access_token = json["access_token"]
access_token_check_num = UrlSafeBase64.encode64(OpenSSL::Digest::SHA256.digest(access_token)[0, 128 / 8]) access_token_check_num = Base64.urlsafe_encode64(
OpenSSL::Digest::SHA256.digest(access_token)[0, 128 / 8], padding: false
)
expect(decoded_token.at_hash).to eq(access_token_check_num) expect(decoded_token.at_hash).to eq(access_token_check_num)
end end
@ -93,7 +95,9 @@ describe Api::OpenidConnect::TokenEndpoint, type: :request do
decoded_token = OpenIDConnect::ResponseObject::IdToken.decode encoded_id_token, decoded_token = OpenIDConnect::ResponseObject::IdToken.decode encoded_id_token,
Api::OpenidConnect::IdTokenConfig::PUBLIC_KEY Api::OpenidConnect::IdTokenConfig::PUBLIC_KEY
access_token = json["access_token"] access_token = json["access_token"]
access_token_check_num = UrlSafeBase64.encode64(OpenSSL::Digest::SHA256.digest(access_token)[0, 128 / 8]) access_token_check_num = Base64.urlsafe_encode64(
OpenSSL::Digest::SHA256.digest(access_token)[0, 128 / 8], padding: false
)
expect(decoded_token.at_hash).to eq(access_token_check_num) expect(decoded_token.at_hash).to eq(access_token_check_num)
end end