From 7afd527af11eb5132b7b3db883bebfa3275499f2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 15 Apr 2024 11:09:45 -0600 Subject: [PATCH] Bump github.com/lestrrat-go/jwx from 1.2.28 to 1.2.29 (#7959) Bumps [github.com/lestrrat-go/jwx](https://github.com/lestrrat-go/jwx) from 1.2.28 to 1.2.29. - [Release notes](https://github.com/lestrrat-go/jwx/releases) - [Changelog](https://github.com/lestrrat-go/jwx/blob/v1.2.29/Changes) - [Commits](https://github.com/lestrrat-go/jwx/compare/v1.2.28...v1.2.29) --- updated-dependencies: - dependency-name: github.com/lestrrat-go/jwx dependency-type: direct:production ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 8 ++--- go.sum | 25 ++++++++------ vendor/github.com/lestrrat-go/jwx/Changes | 7 ++++ .../lestrrat-go/jwx/jwe/compress.go | 33 +++++++++++++++++-- vendor/github.com/lestrrat-go/jwx/jwe/jwe.go | 19 ++++++++--- .../github.com/lestrrat-go/jwx/jwe/message.go | 3 +- .../github.com/lestrrat-go/jwx/jwe/options.go | 9 +++++ vendor/modules.txt | 10 +++--- 8 files changed, 87 insertions(+), 27 deletions(-) diff --git a/go.mod b/go.mod index 51c70f43b5..892547026f 100644 --- a/go.mod +++ b/go.mod @@ -40,7 +40,7 @@ require ( github.com/json-iterator/go v1.1.12 github.com/kelseyhightower/envconfig v1.4.0 github.com/kylelemons/godebug v1.1.1-0.20201107061927-e693023230a4 - github.com/lestrrat-go/jwx v1.2.28 + github.com/lestrrat-go/jwx v1.2.29 github.com/lib/pq v1.10.4 github.com/miekg/dns v1.1.43 github.com/onsi/ginkgo v1.16.5 @@ -48,9 +48,9 @@ require ( github.com/pborman/getopt/v2 v2.1.0 github.com/pkg/errors v0.9.1 go.etcd.io/bbolt v1.3.6 - golang.org/x/crypto v0.17.0 - golang.org/x/net v0.17.0 - golang.org/x/sys v0.15.0 + golang.org/x/crypto v0.21.0 + golang.org/x/net v0.21.0 + golang.org/x/sys v0.18.0 gopkg.in/DATA-DOG/go-sqlmock.v1 v1.3.0 gopkg.in/yaml.v2 v2.4.0 gopkg.in/yaml.v3 v3.0.1 diff --git a/go.sum b/go.sum index a53b96123d..38aaeb3771 100644 --- a/go.sum +++ b/go.sum @@ -944,8 +944,8 @@ github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZ github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E= github.com/lestrrat-go/iter v1.0.2 h1:gMXo1q4c2pHmC3dn8LzRhJfP1ceCbgSiT9lUydIzltI= github.com/lestrrat-go/iter v1.0.2/go.mod h1:Momfcq3AnRlRjI5b5O8/G5/BvpzrhoFTZcn06fEOPt4= -github.com/lestrrat-go/jwx v1.2.28 h1:uadI6o0WpOVrBSf498tRXZIwPpEtLnR9CvqPFXeI5sA= -github.com/lestrrat-go/jwx v1.2.28/go.mod h1:nF+91HEMh/MYFVwKPl5HHsBGMPscqbQb+8IDQdIazP8= +github.com/lestrrat-go/jwx v1.2.29 h1:QT0utmUJ4/12rmsVQrJ3u55bycPkKqGYuGT4tyRhxSQ= +github.com/lestrrat-go/jwx v1.2.29/go.mod h1:hU8k2l6WF0ncx20uQdOmik/Gjg6E3/wIRtXSNFeZuB8= github.com/lestrrat-go/option v1.0.0/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I= github.com/lestrrat-go/option v1.0.1 h1:oAzP2fvZGQKWkvHa1/SAcFolBEca1oN+mQ7eooNBEYU= github.com/lestrrat-go/option v1.0.1/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I= @@ -1280,6 +1280,7 @@ github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+ github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= +github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA= github.com/stretchr/testify v0.0.0-20180303142811-b89eecf5ca5d/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.2.0/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= @@ -1290,8 +1291,9 @@ github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= -github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= +github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= +github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/syndtr/gocapability v0.0.0-20170704070218-db04d3cc01c8/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= @@ -1429,8 +1431,9 @@ golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad/go.mod h1:jdWPYTVW3xRLrWP golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k= -golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= +golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= +golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA= +golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20180807140117-3d87b88a115f/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -1551,8 +1554,8 @@ golang.org/x/net v0.0.0-20211013171255-e13a2654a71e/go.mod h1:9nx3DQGgdP8bBQD5qx golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= -golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= -golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= +golang.org/x/net v0.21.0 h1:AQyQV4dYCvJ7vGmJyKki9+PBdyvhkSd8EIx/qb0AYv4= +golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44= golang.org/x/oauth2 v0.0.0-20180227000427-d7d64896b5ff/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20181106182150-f42d05182288/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= @@ -1701,14 +1704,16 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc= -golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4= +golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= -golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0= +golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= +golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58= golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= diff --git a/vendor/github.com/lestrrat-go/jwx/Changes b/vendor/github.com/lestrrat-go/jwx/Changes index 897ab3c66a..40f831387d 100644 --- a/vendor/github.com/lestrrat-go/jwx/Changes +++ b/vendor/github.com/lestrrat-go/jwx/Changes @@ -1,6 +1,13 @@ Changes ======= +v1.2.29 07 Mar 2024 + * [jwe] Added `jwe.Settings(jwe.WithMaxDecompressBufferSize(int64))` to specify the + maximum size of a decompressed JWE payload. The default value is 10MB. If you + are compressing payloads greater than this, you need to explicitly set it. + + Unlike in v2, there is no way to set this globally. Please use v2 if this is required. + v1.2.28 09 Jan 2024 [Security Fixes] * [jws] JWS messages formated in full JSON format (i.e. not the compact format, which diff --git a/vendor/github.com/lestrrat-go/jwx/jwe/compress.go b/vendor/github.com/lestrrat-go/jwx/jwe/compress.go index e3836a693d..6956cabdac 100644 --- a/vendor/github.com/lestrrat-go/jwx/jwe/compress.go +++ b/vendor/github.com/lestrrat-go/jwx/jwe/compress.go @@ -3,15 +3,42 @@ package jwe import ( "bytes" "compress/flate" - "io/ioutil" + "io" "github.com/lestrrat-go/jwx/internal/pool" "github.com/lestrrat-go/jwx/jwa" "github.com/pkg/errors" ) -func uncompress(plaintext []byte) ([]byte, error) { - return ioutil.ReadAll(flate.NewReader(bytes.NewReader(plaintext))) +func uncompress(src []byte, maxBufferSize int64) ([]byte, error) { + var dst bytes.Buffer + r := flate.NewReader(bytes.NewReader(src)) + defer r.Close() + var buf [16384]byte + var sofar int64 + for { + n, readErr := r.Read(buf[:]) + sofar += int64(n) + if sofar > maxBufferSize { + return nil, errors.New(`compressed payload exceeds maximum allowed size`) + } + if readErr != nil { + // if we have a read error, and it's not EOF, then we need to stop + if readErr != io.EOF { + return nil, errors.Wrap(readErr, `failed to read inflated data`) + } + } + + if _, err := dst.Write(buf[:n]); err != nil { + return nil, errors.Wrap(err, `failed to write inflated data`) + } + + if readErr != nil { + // if it got here, then readErr == io.EOF, we're done + //nolint:nilerr + return dst.Bytes(), nil + } + } } func compress(plaintext []byte, alg jwa.CompressionAlgorithm) ([]byte, error) { diff --git a/vendor/github.com/lestrrat-go/jwx/jwe/jwe.go b/vendor/github.com/lestrrat-go/jwx/jwe/jwe.go index d26d14c222..95c48abd07 100644 --- a/vendor/github.com/lestrrat-go/jwx/jwe/jwe.go +++ b/vendor/github.com/lestrrat-go/jwx/jwe/jwe.go @@ -25,7 +25,7 @@ import ( var registry = json.NewRegistry() -// Encrypt takes the plaintext payload and encrypts it in JWE compact format. +// Encrypt takes the pllaintext payload and encrypts it in JWE compact format. // `key` should be a public key, and it may be a raw key (e.g. rsa.PublicKey) or a jwk.Key // // Encrypt currently does not support multi-recipient messages. @@ -179,9 +179,10 @@ type DecryptCtx interface { } type decryptCtx struct { - alg jwa.KeyEncryptionAlgorithm - key interface{} - msg *Message + alg jwa.KeyEncryptionAlgorithm + key interface{} + msg *Message + maxDecompressBufferSize int64 } func (ctx *decryptCtx) Algorithm() jwa.KeyEncryptionAlgorithm { @@ -213,6 +214,11 @@ func (ctx *decryptCtx) SetMessage(m *Message) { // The JWE message can be either compact or full JSON format. // // `key` must be a private key. It can be either in its raw format (e.g. *rsa.PrivateKey) or a jwk.Key +// +// The decrypted payload must be smaller than the amount specified by the +// `jwe.WithMaxDecompressBufferSize` setting, which defaults to 10MB. +// +// jwe.Decrypt(..., jwe.WithMaxDecompressBufferSize(250*1024)) func Decrypt(buf []byte, alg jwa.KeyEncryptionAlgorithm, key interface{}, options ...DecryptOption) ([]byte, error) { var ctx decryptCtx ctx.key = key @@ -220,6 +226,8 @@ func Decrypt(buf []byte, alg jwa.KeyEncryptionAlgorithm, key interface{}, option var dst *Message var postParse PostParser + // in v1 the default value is hardcoded. Use v2 if you want to change this value globally + var maxDecompressBufferSize int64 = 10 * 1024 * 1024 //nolint:forcetypeassert for _, option := range options { switch option.Ident() { @@ -227,6 +235,8 @@ func Decrypt(buf []byte, alg jwa.KeyEncryptionAlgorithm, key interface{}, option dst = option.Value().(*Message) case identPostParser{}: postParse = option.Value().(PostParser) + case identMaxDecompressBufferSize{}: + maxDecompressBufferSize = option.Value().(int64) } } @@ -241,6 +251,7 @@ func Decrypt(buf []byte, alg jwa.KeyEncryptionAlgorithm, key interface{}, option return nil, errors.Wrap(err, `failed to execute PostParser hook`) } } + ctx.maxDecompressBufferSize = maxDecompressBufferSize payload, err := doDecryptCtx(&ctx) if err != nil { diff --git a/vendor/github.com/lestrrat-go/jwx/jwe/message.go b/vendor/github.com/lestrrat-go/jwx/jwe/message.go index 9559877e33..d8fe660d6a 100644 --- a/vendor/github.com/lestrrat-go/jwx/jwe/message.go +++ b/vendor/github.com/lestrrat-go/jwx/jwe/message.go @@ -632,9 +632,10 @@ func doDecryptCtx(dctx *decryptCtx) ([]byte, error) { } if h2.Compression() == jwa.Deflate { - buf, err := uncompress(plaintext) + buf, err := uncompress(plaintext, dctx.maxDecompressBufferSize) if err != nil { lastError = errors.Wrap(err, `failed to uncompress payload`) + plaintext = nil continue } plaintext = buf diff --git a/vendor/github.com/lestrrat-go/jwx/jwe/options.go b/vendor/github.com/lestrrat-go/jwx/jwe/options.go index 617e0e47cb..9b33732be1 100644 --- a/vendor/github.com/lestrrat-go/jwx/jwe/options.go +++ b/vendor/github.com/lestrrat-go/jwx/jwe/options.go @@ -11,6 +11,7 @@ type identMessage struct{} type identPostParser struct{} type identPrettyFormat struct{} type identProtectedHeader struct{} +type identMaxDecompressBufferSize struct{} type DecryptOption interface { Option @@ -23,6 +24,14 @@ type decryptOption struct { func (*decryptOption) decryptOption() {} +// WithMaxDecompressBufferSize specifies the maximum buffer size for used when +// decompressing the payload of a JWE message. If a JWE payload is compressed, +// and the size of the decompressed payload exceeds this amount, and error is +// returned. The default value is 10MB. +func WithMaxDecompressBufferSize(size int64) DecryptOption { + return &decryptOption{option.New(identMaxDecompressBufferSize{}, size)} +} + type SerializerOption interface { Option serializerOption() diff --git a/vendor/modules.txt b/vendor/modules.txt index eeee9e3715..cf8cc1fd9d 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -178,7 +178,7 @@ github.com/lestrrat-go/httpcc ## explicit; go 1.13 github.com/lestrrat-go/iter/arrayiter github.com/lestrrat-go/iter/mapiter -# github.com/lestrrat-go/jwx v1.2.28 +# github.com/lestrrat-go/jwx v1.2.29 ## explicit; go 1.15 github.com/lestrrat-go/jwx github.com/lestrrat-go/jwx/internal/base64 @@ -276,7 +276,7 @@ go.etcd.io/bbolt # go.uber.org/atomic v1.6.0 ## explicit; go 1.13 go.uber.org/atomic -# golang.org/x/crypto v0.17.0 +# golang.org/x/crypto v0.21.0 ## explicit; go 1.18 golang.org/x/crypto/curve25519 golang.org/x/crypto/curve25519/internal/field @@ -285,8 +285,8 @@ golang.org/x/crypto/md4 golang.org/x/crypto/ocsp golang.org/x/crypto/pbkdf2 golang.org/x/crypto/scrypt -# golang.org/x/net v0.17.0 -## explicit; go 1.17 +# golang.org/x/net v0.21.0 +## explicit; go 1.18 golang.org/x/net/bpf golang.org/x/net/html golang.org/x/net/html/atom @@ -302,7 +302,7 @@ golang.org/x/net/ipv4 golang.org/x/net/ipv6 golang.org/x/net/proxy golang.org/x/net/publicsuffix -# golang.org/x/sys v0.15.0 +# golang.org/x/sys v0.18.0 ## explicit; go 1.18 golang.org/x/sys/unix golang.org/x/sys/windows