Merge branch 'main' into sdlsdl

author: Dylan Conway <dylan.conway567@gmail.com> 2023-10-14 12:58:30 -0700
committer: Dylan Conway <dylan.conway567@gmail.com> 2023-10-14 12:58:30 -0700
commit: f9add8b6bea4df3cdbd56a21f17e4cab1a854e4e (patch)
tree: 8e5306104d81c67b771181337bba02cd9ec39453 /test/js/third_party/jsonwebtoken/jwt.malicious.test.js
parent: 81a1a58d66c598ea35c42453d0ba4c6341a940fc (diff)
parent: 9b5e66453b0879ed77b71dcdbe50e4efa184261e (diff)
download: bun-sdl.tar.gz
bun-sdl.tar.zst
bun-sdl.zip
1 files changed, 44 insertions, 0 deletions
diff --git a/test/js/third_party/jsonwebtoken/jwt.malicious.test.js b/test/js/third_party/jsonwebtoken/jwt.malicious.test.js
new file mode 100644
index 000000000..8e31859cb
--- /dev/null
+++ b/test/js/third_party/jsonwebtoken/jwt.malicious.test.js
@@ -0,0 +1,44 @@
+import jwt from "jsonwebtoken";
+import { expect, describe, it } from "bun:test";
+import crypto from "crypto";
+
+describe("when verifying a malicious token", function () {
+  // attacker has access to the public rsa key, but crafts the token as HS256
+  // with kid set to the id of the rsa key, instead of the id of the hmac secret.
+  // const maliciousToken = jwt.sign(
+  //   {foo: 'bar'},
+  //   pubRsaKey,
+  //   {algorithm: 'HS256', keyid: 'rsaKeyId'}
+  // );
+  // consumer accepts self signed tokens (HS256) and third party tokens (RS256)
+  const options = { algorithms: ["RS256", "HS256"] };
+
+  const { publicKey: pubRsaKey } = crypto.generateKeyPairSync("rsa", { modulusLength: 2048 });
+
+  it("should not allow HMAC verification with an RSA key in KeyObject format", function () {
+    const maliciousToken =
+      "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InJzYUtleUlkIn0.eyJmb28iOiJiYXIiLCJpYXQiOjE2NTk1MTA2MDh9.cOcHI1TXPbxTMlyVTfjArSWskrmezbrG8iR7uJHwtrQ";
+
+    expect(() => jwt.verify(maliciousToken, pubRsaKey, options)).toThrow("must be a symmetric key");
+  });
+
+  it("should not allow HMAC verification with an RSA key in PEM format", function () {
+    const maliciousToken =
+      "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InJzYUtleUlkIn0.eyJmb28iOiJiYXIiLCJpYXQiOjE2NTk1MTA2MDh9.cOcHI1TXPbxTMlyVTfjArSWskrmezbrG8iR7uJHwtrQ";
+
+    expect(() => jwt.verify(maliciousToken, pubRsaKey.export({ type: "spki", format: "pem" }), options)).toThrow(
+      "must be a symmetric key",
+    );
+  });
+
+  it("should not allow arbitrary execution from malicious Buffers containing objects with overridden toString functions", function () {
+    const token = jwt.sign({ "foo": "bar" }, "secret");
+    const maliciousBuffer = {
+      toString: () => {
+        throw new Error("Arbitrary Code Execution");
+      },
+    };
+
+    expect(() => jwt.verify(token, maliciousBuffer)).toThrow("not valid key material");
+  });
+});
author	Dylan Conway <dylan.conway567@gmail.com>	2023-10-14 12:58:30 -0700
committer	Dylan Conway <dylan.conway567@gmail.com>	2023-10-14 12:58:30 -0700
commit	f9add8b6bea4df3cdbd56a21f17e4cab1a854e4e (patch)
tree	8e5306104d81c67b771181337bba02cd9ec39453 /test/js/third_party/jsonwebtoken/jwt.malicious.test.js
parent	81a1a58d66c598ea35c42453d0ba4c6341a940fc (diff)
parent	9b5e66453b0879ed77b71dcdbe50e4efa184261e (diff)
download	bun-sdl.tar.gz bun-sdl.tar.zst bun-sdl.zip