From 35109160ca5d439116bedeb3302ec3745e2895d5 Mon Sep 17 00:00:00 2001 From: Ciro Spaciari Date: Sat, 7 Oct 2023 19:22:45 -0300 Subject: feat(KeyObject) (#5940) * oops * createSecretKey but weird error * use the right prototype, do not add a function called export lol * HMAC JWT export + base64 fix * Fix Equals, Fix Get KeySize, add complete export RSA * fix RSA export * add EC exports * X25519 and ED25519 export + fixes * fix default exports * better asymmetricKeyType * fix private exports * fix symmetricKeySize * createPublicKey validations + refactor * jwt + der fixes * oopsies * add PEM into createPublicKey * cleanup * WIP * bunch of fixes * public from private + private OKP * encrypted keys fixes * oops * fix clear tls error, add some support to jwk and other formats on publicEncrypt/publicDecrypt * more fixes and tests working * more fixes more tests * more clear hmac errors * more tests and fixes * add generateKeyPair * more tests passing, some skips * fix EC key from private * fix OKP JWK * nodejs ignores ext and key_ops on KeyObject.exports * add EC sign verify test * some fixes * add crypto.generateKeyPairSync(type, options) * more fixes and more tests * fix hmac tests * jsonwebtoken tests * oops * oops2 * generated files * revert package.json * vm tests * todos instead of failues * toBunString -> toString * undo simdutf * improvements * unlikely * cleanup * cleanup 2 * oops * move _generateKeyPairSync checks to native --- .../third_party/jsonwebtoken/jwt.malicious.test.js | 44 ++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 test/js/third_party/jsonwebtoken/jwt.malicious.test.js (limited to 'test/js/third_party/jsonwebtoken/jwt.malicious.test.js') diff --git a/test/js/third_party/jsonwebtoken/jwt.malicious.test.js b/test/js/third_party/jsonwebtoken/jwt.malicious.test.js new file mode 100644 index 000000000..8e31859cb --- /dev/null +++ b/test/js/third_party/jsonwebtoken/jwt.malicious.test.js @@ -0,0 +1,44 @@ +import jwt from "jsonwebtoken"; +import { expect, describe, it } from "bun:test"; +import crypto from "crypto"; + +describe("when verifying a malicious token", function () { + // attacker has access to the public rsa key, but crafts the token as HS256 + // with kid set to the id of the rsa key, instead of the id of the hmac secret. + // const maliciousToken = jwt.sign( + // {foo: 'bar'}, + // pubRsaKey, + // {algorithm: 'HS256', keyid: 'rsaKeyId'} + // ); + // consumer accepts self signed tokens (HS256) and third party tokens (RS256) + const options = { algorithms: ["RS256", "HS256"] }; + + const { publicKey: pubRsaKey } = crypto.generateKeyPairSync("rsa", { modulusLength: 2048 }); + + it("should not allow HMAC verification with an RSA key in KeyObject format", function () { + const maliciousToken = + "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InJzYUtleUlkIn0.eyJmb28iOiJiYXIiLCJpYXQiOjE2NTk1MTA2MDh9.cOcHI1TXPbxTMlyVTfjArSWskrmezbrG8iR7uJHwtrQ"; + + expect(() => jwt.verify(maliciousToken, pubRsaKey, options)).toThrow("must be a symmetric key"); + }); + + it("should not allow HMAC verification with an RSA key in PEM format", function () { + const maliciousToken = + "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InJzYUtleUlkIn0.eyJmb28iOiJiYXIiLCJpYXQiOjE2NTk1MTA2MDh9.cOcHI1TXPbxTMlyVTfjArSWskrmezbrG8iR7uJHwtrQ"; + + expect(() => jwt.verify(maliciousToken, pubRsaKey.export({ type: "spki", format: "pem" }), options)).toThrow( + "must be a symmetric key", + ); + }); + + it("should not allow arbitrary execution from malicious Buffers containing objects with overridden toString functions", function () { + const token = jwt.sign({ "foo": "bar" }, "secret"); + const maliciousBuffer = { + toString: () => { + throw new Error("Arbitrary Code Execution"); + }, + }; + + expect(() => jwt.verify(token, maliciousBuffer)).toThrow("not valid key material"); + }); +}); -- cgit v1.2.3