aboutsummaryrefslogtreecommitdiff
path: root/test/js/third_party/jsonwebtoken/jwt.malicious.test.js
diff options
context:
space:
mode:
Diffstat (limited to 'test/js/third_party/jsonwebtoken/jwt.malicious.test.js')
-rw-r--r--test/js/third_party/jsonwebtoken/jwt.malicious.test.js44
1 files changed, 44 insertions, 0 deletions
diff --git a/test/js/third_party/jsonwebtoken/jwt.malicious.test.js b/test/js/third_party/jsonwebtoken/jwt.malicious.test.js
new file mode 100644
index 000000000..8e31859cb
--- /dev/null
+++ b/test/js/third_party/jsonwebtoken/jwt.malicious.test.js
@@ -0,0 +1,44 @@
+import jwt from "jsonwebtoken";
+import { expect, describe, it } from "bun:test";
+import crypto from "crypto";
+
+describe("when verifying a malicious token", function () {
+ // attacker has access to the public rsa key, but crafts the token as HS256
+ // with kid set to the id of the rsa key, instead of the id of the hmac secret.
+ // const maliciousToken = jwt.sign(
+ // {foo: 'bar'},
+ // pubRsaKey,
+ // {algorithm: 'HS256', keyid: 'rsaKeyId'}
+ // );
+ // consumer accepts self signed tokens (HS256) and third party tokens (RS256)
+ const options = { algorithms: ["RS256", "HS256"] };
+
+ const { publicKey: pubRsaKey } = crypto.generateKeyPairSync("rsa", { modulusLength: 2048 });
+
+ it("should not allow HMAC verification with an RSA key in KeyObject format", function () {
+ const maliciousToken =
+ "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InJzYUtleUlkIn0.eyJmb28iOiJiYXIiLCJpYXQiOjE2NTk1MTA2MDh9.cOcHI1TXPbxTMlyVTfjArSWskrmezbrG8iR7uJHwtrQ";
+
+ expect(() => jwt.verify(maliciousToken, pubRsaKey, options)).toThrow("must be a symmetric key");
+ });
+
+ it("should not allow HMAC verification with an RSA key in PEM format", function () {
+ const maliciousToken =
+ "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InJzYUtleUlkIn0.eyJmb28iOiJiYXIiLCJpYXQiOjE2NTk1MTA2MDh9.cOcHI1TXPbxTMlyVTfjArSWskrmezbrG8iR7uJHwtrQ";
+
+ expect(() => jwt.verify(maliciousToken, pubRsaKey.export({ type: "spki", format: "pem" }), options)).toThrow(
+ "must be a symmetric key",
+ );
+ });
+
+ it("should not allow arbitrary execution from malicious Buffers containing objects with overridden toString functions", function () {
+ const token = jwt.sign({ "foo": "bar" }, "secret");
+ const maliciousBuffer = {
+ toString: () => {
+ throw new Error("Arbitrary Code Execution");
+ },
+ };
+
+ expect(() => jwt.verify(token, maliciousBuffer)).toThrow("not valid key material");
+ });
+});
generated by cgit v1.2.3 (git 2.39.1) at 2025-06-27 07:53:47 +0000