You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Apart from the JWT required claims, seetie.ValueToMap() is currently used for the following:
in eval/http.go: attributes values
set_query_params
add_query_params
set_form_params
add_form_params
set_request_headers
add_request_headers
set_response_headers
add_response_headers
in eval/lib/jwt.go: jwt signing config attribute values
headers
claims
in config/configload/helper.go: jwt signing config attribute values
headers
in oauth2/client.go: jwt signing config attribute values
headers
claims
in handler/transport/oauth2_req_auth.go: jwt signing config attribute values
headers
claims
I guess that calling ValueToStringSlice() is potentially harmful in all cases apart from those in eval/http.go, where it could be argued to be a sort of user-friendly sanitization for non-string input.
Currently (v1.12.1), there are (at least) two flaws in the JWT claim validation.
validateClaims()
:This panics if the two variables have the same type and the type is uncomparable (
[]interface{}
ormap[string]interface{}
).getConfiguredClaims()
ValueToMap()
creates a string slice for all list/tuple claim values by callingValueToStringSlice()
, regardless of the original type. So e.g.will create
[]string{"0", "1", "2"}
. This may be useful for some uses ofseetie.ValueToMap()
, but here is doesn't work properly.The text was updated successfully, but these errors were encountered: