NotificationsYou must be signed in to change notification settings
Fork112
Star722

Commit34c45b2

authored

Merge commit from fork

2 parentsb9fb8d3 +49bc39b commit34c45b2Copy full SHA for 34c45b2

File tree

6 files changed

+155

-6

lines changed

6 files changed

+155

-6

lines changed

`‎.gitignore‎`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -2,3 +2,4 @@ node_modules`
`2`	`2`	`/test/keys`
`3`	`3`	`/test/*.pem`
`4`	`4`	`/test/encrypted-key-passphrase`
	`5`	`+package-lock.json`

`‎CHANGELOG.md‎`

Lines changed: 24 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,8 +1,29 @@`
`1`	`1`	`#Change Log`
	`2`	`+`
`2`	`3`	`All notable changes to this project will be documented in this file.`
`3`	`4`
	`5`	`+##[4.0.1]`
	`6`	`+`
	`7`	`+###Changed`
	`8`	`+`
	`9`	`+- Fix advisoryGHSA-869p-cjfg-cm3x: createSign and createVerify now require`
	`10`	`+ that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key)`
	`11`	`+ when using HMAC algorithms.`
	`12`	`+- Upgrading JWA version to 2.0.1, adressing a compatibility issue for Node >= 25.`
	`13`	`+`
	`14`	`+##[3.2.3]`
	`15`	`+`
	`16`	`+###Changed`
	`17`	`+`
	`18`	`+- Fix advisoryGHSA-869p-cjfg-cm3x: createSign and createVerify now require`
	`19`	`+ that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key)`
	`20`	`+ when using HMAC algorithms.`
	`21`	`+- Upgrading JWA version to 1.4.2, adressing a compatibility issue for Node >= 25.`
	`22`	`+`
`4`	`23`	`##[3.0.0]`
	`24`	`+`
`5`	`25`	`###Changed`
	`26`	`+`
`6`	`27`	-BREAKING:`jwt.verify` now requires an`algorithm` parameter, and
`7`	`28`	`jws.createVerify` requires an`algorithm` option. The`"alg"` field
`8`	`29`	`signature headers is ignored. This mitigates a critical security flaw`
`@@ -12,7 +33,9 @@ All notable changes to this project will be documented in this file.`
`12`	`33`	`for details.`
`13`	`34`
`14`	`35`	`##[2.0.0] - 2015-01-30`
	`36`	`+`
`15`	`37`	`###Changed`
	`38`	`+`
`16`	`39`	-BREAKING: Default payload encoding changed from`binary` to
`17`	`40`	`utf8`.`utf8` is a is a more sensible default than`binary` because
`18`	`41`	`many payloads, as far as I can tell, will contain user-facing`
`@@ -21,14 +44,13 @@ All notable changes to this project will be documented in this file.`
`21`	`44`	`- Code reorganization, thanks[@fearphage]! (<code>[7880050]</code>)`
`22`	`45`
`23`	`46`	`###Added`
	`47`	`+`
`24`	`48`	- Option in all relevant methods for`encoding`. For those few users
`25`	`49`	that might be depending on a`binary` encoding of the messages, this
`26`	`50`	`is for them. (<code>[6b6de48]</code>)`
`27`	`51`
`28`	`52`	`[unreleased]:https://github.com/brianloveswords/node-jws/compare/v2.0.0...HEAD`
`29`	`53`	`[2.0.0]:https://github.com/brianloveswords/node-jws/compare/v1.0.1...v2.0.0`
`30`		`-`
`31`	`54`	`[7880050]:https://github.com/brianloveswords/node-jws/commit/7880050`
`32`	`55`	`[6b6de48]:https://github.com/brianloveswords/node-jws/commit/6b6de48`
`33`		`-`
`34`	`56`	`[@fearphage]:https://github.com/fearphage`

`‎lib/sign-stream.js‎`

Lines changed: 6 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -34,7 +34,12 @@ function jwsSign(opts) {`
`34`	`34`	`}`
`35`	`35`
`36`	`36`	`functionSignStream(opts){`
`37`		`-varsecret=opts.secret\|\|opts.privateKey\|\|opts.key;`
	`37`	`+varsecret=opts.secret;`
	`38`	`+secret=secret==null ?opts.privateKey :secret;`
	`39`	`+secret=secret==null ?opts.key :secret;`
	`40`	`+if(/^hs/i.test(opts.header.alg)===true&&secret==null){`
	`41`	`+thrownewTypeError('secret must be a string or buffer or a KeyObject')`
	`42`	`+}`
`38`	`43`	`varsecretStream=newDataStream(secret);`
`39`	`44`	`this.readable=true;`
`40`	`45`	`this.header=opts.header;`

`‎lib/verify-stream.js‎`

Lines changed: 6 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -79,7 +79,12 @@ function jwsDecode(jwsSig, opts) {`
`79`	`79`
`80`	`80`	`functionVerifyStream(opts){`
`81`	`81`	`opts=opts\|\|{};`
`82`		`-varsecretOrKey=opts.secret\|\|opts.publicKey\|\|opts.key;`
	`82`	`+varsecretOrKey=opts.secret;`
	`83`	`+secretOrKey=secretOrKey==null ?opts.publicKey :secretOrKey;`
	`84`	`+secretOrKey=secretOrKey==null ?opts.key :secretOrKey;`
	`85`	`+if(/^hs/i.test(opts.algorithm)===true&&secretOrKey==null){`
	`86`	`+thrownewTypeError('secret must be a string or buffer or a KeyObject')`
	`87`	`+}`
`83`	`88`	`varsecretStream=newDataStream(secretOrKey);`
`84`	`89`	`this.readable=true;`
`85`	`90`	`this.algorithm=opts.algorithm;`

`‎package.json‎`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name":"jws",`
`3`		`-"version":"4.0.0",`
	`3`	`+"version":"4.0.1",`
`4`	`4`	`"description":"Implementation of JSON Web Signatures",`
`5`	`5`	`"main":"index.js",`
`6`	`6`	`"directories": {`
`@@ -24,7 +24,7 @@`
`24`	`24`	`"readmeFilename":"readme.md",`
`25`	`25`	`"gitHead":"c0f6b27bcea5a2ad2e304d91c2e842e4076a6b03",`
`26`	`26`	`"dependencies": {`
`27`		`-"jwa":"^2.0.0",`
	`27`	`+"jwa":"^2.0.1",`
`28`	`28`	`"safe-buffer":"^5.0.1"`
`29`	`29`	`},`
`30`	`30`	`"devDependencies": {`

`‎test/jws.test.js‎`

Lines changed: 116 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -329,3 +329,119 @@ test('jws.isValid', function (t) {`
`329`	`329`	`t.same(jws.isValid(valid),true);`
`330`	`330`	`t.end();`
`331`	`331`	`});`
	`332`	`+`
	`333`	`+test('Streaming sign: HMAC with empty secret buffer',function(t){`
	`334`	`+constdataStream=readstream('data.txt');`
	`335`	`+constsecret=Buffer.alloc(0);`
	`336`	`+constsig=jws.createSign({`
	`337`	`+header:{alg:'HS256'},`
	`338`	`+secret:secret`
	`339`	`+});`
	`340`	`+dataStream.pipe(sig.payload);`
	`341`	`+sig.on('done',function(signature){`
	`342`	`+t.ok(jws.verify(signature,'HS256',secret),'should verify');`
	`343`	`+t.end();`
	`344`	`+}).sign();`
	`345`	`+});`
	`346`	`+`
	`347`	`+test('Streaming sign: HMAC with empty secret string',function(t){`
	`348`	`+constdataStream=readstream('data.txt');`
	`349`	`+constsecret='';`
	`350`	`+constsig=jws.createSign({`
	`351`	`+header:{alg:'HS256'},`
	`352`	`+secret:secret`
	`353`	`+});`
	`354`	`+dataStream.pipe(sig.payload);`
	`355`	`+sig.on('done',function(signature){`
	`356`	`+t.ok(jws.verify(signature,'HS256',secret),'should verify');`
	`357`	`+t.end();`
	`358`	`+}).sign();`
	`359`	`+});`
	`360`	`+`
	`361`	`+test('Streaming sign: HMAC with undefined secret',function(t){`
	`362`	`+try{`
	`363`	`+jws.createSign({`
	`364`	`+header:{alg:'HS256'},`
	`365`	`+secret:undefined`
	`366`	`+});`
	`367`	`+t.fail('should have errored');`
	`368`	`+t.end();`
	`369`	`+}catch(error){`
	`370`	`+t.equal(error.name,'TypeError');`
	`371`	`+t.equal(error.message,'secret must be a string or buffer or a KeyObject');`
	`372`	`+t.end();`
	`373`	`+}`
	`374`	`+});`
	`375`	`+`
	`376`	`+test('Streaming sign: HMAC with null secret',function(t){`
	`377`	`+try{`
	`378`	`+jws.createSign({`
	`379`	`+header:{alg:'HS256'},`
	`380`	`+secret:null`
	`381`	`+});`
	`382`	`+t.fail('should have errored');`
	`383`	`+t.end();`
	`384`	`+}catch(error){`
	`385`	`+t.equal(error.name,'TypeError');`
	`386`	`+t.equal(error.message,'secret must be a string or buffer or a KeyObject');`
	`387`	`+t.end();`
	`388`	`+}`
	`389`	`+});`
	`390`	`+`
	`391`	`+test('Streaming verify: HMAC with empty secret buffer',function(t){`
	`392`	`+constsecret=Buffer.alloc(0);`
	`393`	`+jws.createVerify({`
	`394`	`+signature:'eyJhbGciOiJIUzI1NiJ9.b25lLCB0d28sIHRocmVlCg.V1oQ0aq6FgAoe7C2TORtYpQAbYzJoFNFZlJkTlF1e60',`
	`395`	`+algorithm:'HS256',`
	`396`	`+secret:secret`
	`397`	`+}).on('done',function(valid,decoded){`
	`398`	`+t.true(valid);`
	`399`	`+t.same(decoded.payload,readfile('data.txt'));`
	`400`	`+t.end();`
	`401`	`+}).verify();`
	`402`	`+});`
	`403`	`+`
	`404`	`+test('Streaming verify: HMAC with empty secret string',function(t){`
	`405`	`+constsecret='';`
	`406`	`+jws.createVerify({`
	`407`	`+signature:'eyJhbGciOiJIUzI1NiJ9.b25lLCB0d28sIHRocmVlCg.V1oQ0aq6FgAoe7C2TORtYpQAbYzJoFNFZlJkTlF1e60',`
	`408`	`+algorithm:'HS256',`
	`409`	`+secret:secret`
	`410`	`+}).on('done',function(valid,decoded){`
	`411`	`+t.true(valid);`
	`412`	`+t.same(decoded.payload,readfile('data.txt'));`
	`413`	`+t.end();`
	`414`	`+}).verify();`
	`415`	`+});`
	`416`	`+`
	`417`	`+test('Streaming verify: HMAC with undefined secret',function(t){`
	`418`	`+try{`
	`419`	`+jws.createVerify({`
	`420`	`+signature:'eyJhbGciOiJIUzI1NiJ9.b25lLCB0d28sIHRocmVlCg.V1oQ0aq6FgAoe7C2TORtYpQAbYzJoFNFZlJkTlF1e60',`
	`421`	`+algorithm:'HS256',`
	`422`	`+secret:undefined`
	`423`	`+});`
	`424`	`+t.fail('should have errored');`
	`425`	`+t.end();`
	`426`	`+}catch(error){`
	`427`	`+t.equal(error.name,'TypeError');`
	`428`	`+t.equal(error.message,'secret must be a string or buffer or a KeyObject');`
	`429`	`+t.end();`
	`430`	`+}`
	`431`	`+});`
	`432`	`+`
	`433`	`+test('Streaming verify: HMAC with null secret',function(t){`
	`434`	`+try{`
	`435`	`+jws.createVerify({`
	`436`	`+signature:'eyJhbGciOiJIUzI1NiJ9.b25lLCB0d28sIHRocmVlCg.V1oQ0aq6FgAoe7C2TORtYpQAbYzJoFNFZlJkTlF1e60',`
	`437`	`+algorithm:'HS256',`
	`438`	`+secret:null`
	`439`	`+});`
	`440`	`+t.fail('should have errored');`
	`441`	`+t.end();`
	`442`	`+}catch(error){`
	`443`	`+t.equal(error.name,'TypeError');`
	`444`	`+t.equal(error.message,'secret must be a string or buffer or a KeyObject');`
	`445`	`+t.end();`
	`446`	`+}`
	`447`	`+});`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit34c45b2

File tree

6 files changed

6 files changed

`‎.gitignore‎`

`‎CHANGELOG.md‎`

`‎lib/sign-stream.js‎`

`‎lib/verify-stream.js‎`

`‎package.json‎`

`‎test/jws.test.js‎`

0 commit comments