From 33022c25525c1020869c71ce2a4109e44ae4ced1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Padilla?= Date: Wed, 27 Nov 2024 22:19:49 -0500 Subject: [PATCH 1/3] Merge commit from fork This is a bug introduced in version 2.10.0: checking the "iss" claim changed from `isinstance(issuer, list)` to `isinstance(issuer, Sequence)`. ```diff - if isinstance(issuer, list): + if isinstance(issuer, Sequence): if payload["iss"] not in issuer: raise InvalidIssuerError("Invalid issuer") else: ``` Since str is a Sequnce, but not a list, `in` is also used for string comparison. This results in `if "abc" not in "__abcd__":` being checked instead of `if "abc" != "__abc__":`. Co-authored-by: Fabian Badoi --- jwt/api_jwt.py | 6 +++--- tests/test_api_jwt.py | 10 ++++++++++ 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/jwt/api_jwt.py b/jwt/api_jwt.py index fa4d5e6f0..3a201436c 100644 --- a/jwt/api_jwt.py +++ b/jwt/api_jwt.py @@ -419,11 +419,11 @@ def _validate_iss(self, payload: dict[str, Any], issuer: Any) -> None: if "iss" not in payload: raise MissingRequiredClaimError("iss") - if isinstance(issuer, Sequence): - if payload["iss"] not in issuer: + if isinstance(issuer, str): + if payload["iss"] != issuer: raise InvalidIssuerError("Invalid issuer") else: - if payload["iss"] != issuer: + if payload["iss"] not in issuer: raise InvalidIssuerError("Invalid issuer") diff --git a/tests/test_api_jwt.py b/tests/test_api_jwt.py index 7cc583bd7..ec68a079b 100644 --- a/tests/test_api_jwt.py +++ b/tests/test_api_jwt.py @@ -464,6 +464,16 @@ def test_raise_exception_token_without_issuer(self, jwt): assert exc.value.claim == "iss" + def test_rasise_exception_on_partial_issuer_match(self, jwt): + issuer = "urn:expected" + + payload = {"iss": "urn:"} + + token = jwt.encode(payload, "secret") + + with pytest.raises(InvalidIssuerError): + jwt.decode(token, "secret", issuer=issuer, algorithms=["HS256"]) + def test_raise_exception_token_without_audience(self, jwt): payload = {"some": "payload"} token = jwt.encode(payload, "secret") From 37748dc1e328f120aa04ec98b2a71a0af6301a24 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Padilla?= Date: Wed, 27 Nov 2024 22:29:52 -0500 Subject: [PATCH 2/3] update changelog --- CHANGELOG.rst | 11 ++++++++++- jwt/__init__.py | 2 +- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index fb6cb77fc..7d4c48493 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -4,10 +4,19 @@ Changelog All notable changes to this project will be documented in this file. This project adheres to `Semantic Versioning `__. -`Unreleased `__ +`Unreleased `__ ------------------------------------------------------------------------ +`v2.10.1 `__ +----------------------------------------------------------------------- + + +Fixed +~~~~~ + +- Prevent partial matching of `iss` claim by @fabianbadoi in `GHSA-75c5-xw7c-p5pm `__ + `v2.10.0 `__ ----------------------------------------------------------------------- diff --git a/jwt/__init__.py b/jwt/__init__.py index 9d4b67449..457a4e358 100644 --- a/jwt/__init__.py +++ b/jwt/__init__.py @@ -27,7 +27,7 @@ ) from .jwks_client import PyJWKClient -__version__ = "2.10.0" +__version__ = "2.10.1" __title__ = "PyJWT" __description__ = "JSON Web Token implementation in Python" From 3ebbb22f30f2b1b41727b269a08b427e9a85d6bb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Padilla?= Date: Wed, 27 Nov 2024 22:30:29 -0500 Subject: [PATCH 3/3] fix lint --- tests/test_api_jwt.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/test_api_jwt.py b/tests/test_api_jwt.py index ec68a079b..4b4bdcd1d 100644 --- a/tests/test_api_jwt.py +++ b/tests/test_api_jwt.py @@ -473,7 +473,7 @@ def test_rasise_exception_on_partial_issuer_match(self, jwt): with pytest.raises(InvalidIssuerError): jwt.decode(token, "secret", issuer=issuer, algorithms=["HS256"]) - + def test_raise_exception_token_without_audience(self, jwt): payload = {"some": "payload"} token = jwt.encode(payload, "secret")