From 97969fc81581379d2a3c49d839206cc9b9e05d9d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E0=A4=95=E0=A4=BE=E0=A4=B0=E0=A4=A4=E0=A5=8B=E0=A4=AB?= =?UTF-8?q?=E0=A5=8D=E0=A4=AB=E0=A5=87=E0=A4=B2=E0=A4=B8=E0=A5=8D=E0=A4=95?= =?UTF-8?q?=E0=A5=8D=E0=A4=B0=E0=A4=BF=E0=A4=AA=E0=A5=8D=E0=A4=9F=E2=84=A2?= Date: Fri, 13 Jan 2023 18:24:59 +0100 Subject: [PATCH] fix: Upgrade `jsonwebtoken` to address CVE-2022-23540 (#5116) --- package.json | 1 + packages/cli/package.json | 4 +- packages/cli/src/UserManagement/auth/jwt.ts | 5 +- packages/nodes-base/package.json | 4 +- pnpm-lock.yaml | 68 +++++++-------------- 5 files changed, 31 insertions(+), 51 deletions(-) diff --git a/package.json b/package.json index 68d2f7d3d5615..a22fc35924efd 100644 --- a/package.json +++ b/package.json @@ -67,6 +67,7 @@ "browserslist": "^4.21.4", "ejs": "^3.1.8", "fork-ts-checker-webpack-plugin": "^6.0.4", + "jsonwebtoken": "9.0.0", "cpy@8>globby": "^11.1.0", "qqjs>globby": "^11.1.0" } diff --git a/packages/cli/package.json b/packages/cli/package.json index d69a4f5488e26..1af97646388bb 100644 --- a/packages/cli/package.json +++ b/packages/cli/package.json @@ -72,7 +72,7 @@ "@types/cookie-parser": "^1.4.2", "@types/express": "^4.17.6", "@types/json-diff": "^0.5.1", - "@types/jsonwebtoken": "^8.5.2", + "@types/jsonwebtoken": "^9.0.0", "@types/localtunnel": "^1.9.0", "@types/lodash.get": "^4.4.6", "@types/lodash.intersection": "^4.4.7", @@ -144,7 +144,7 @@ "ioredis": "^5.2.4", "json-diff": "^0.5.4", "jsonschema": "^1.4.1", - "jsonwebtoken": "^8.5.1", + "jsonwebtoken": "^9.0.0", "jwks-rsa": "~1.12.1", "localtunnel": "^2.0.0", "lodash.get": "^4.4.2", diff --git a/packages/cli/src/UserManagement/auth/jwt.ts b/packages/cli/src/UserManagement/auth/jwt.ts index 63309657ad63e..20ffd79db4a8d 100644 --- a/packages/cli/src/UserManagement/auth/jwt.ts +++ b/packages/cli/src/UserManagement/auth/jwt.ts @@ -27,6 +27,7 @@ export function issueJWT(user: User): JwtToken { const signedToken = jwt.sign(payload, config.getEnv('userManagement.jwtSecret'), { expiresIn: expiresIn / 1000 /* in seconds */, + algorithm: 'HS256', }); return { @@ -57,7 +58,9 @@ export async function resolveJwtContent(jwtPayload: JwtPayload): Promise { } export async function resolveJwt(token: string): Promise { - const jwtPayload = jwt.verify(token, config.getEnv('userManagement.jwtSecret')) as JwtPayload; + const jwtPayload = jwt.verify(token, config.getEnv('userManagement.jwtSecret'), { + algorithms: ['HS256'], + }) as JwtPayload; return resolveJwtContent(jwtPayload); } diff --git a/packages/nodes-base/package.json b/packages/nodes-base/package.json index 01b710c2ba02c..a70ef66df119b 100644 --- a/packages/nodes-base/package.json +++ b/packages/nodes-base/package.json @@ -735,7 +735,7 @@ "@types/formidable": "^1.0.31", "@types/gm": "^1.18.2", "@types/imap-simple": "^4.2.0", - "@types/jsonwebtoken": "^8.5.2", + "@types/jsonwebtoken": "^9.0.0", "@types/lodash.set": "^4.3.6", "@types/lossless-json": "^1.0.0", "@types/mailparser": "^2.7.3", @@ -780,7 +780,7 @@ "isbot": "^3.3.4", "iso-639-1": "^2.1.3", "js-nacl": "^1.4.0", - "jsonwebtoken": "^8.5.1", + "jsonwebtoken": "^9.0.0", "kafkajs": "^1.14.0", "lodash.get": "^4.4.2", "lodash.set": "^4.3.2", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 1e1a31795ad41..c2afa0902b81d 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -8,6 +8,7 @@ overrides: browserslist: ^4.21.4 ejs: ^3.1.8 fork-ts-checker-webpack-plugin: ^6.0.4 + jsonwebtoken: 9.0.0 cpy@8>globby: ^11.1.0 qqjs>globby: ^11.1.0 @@ -110,7 +111,7 @@ importers: '@types/cookie-parser': ^1.4.2 '@types/express': ^4.17.6 '@types/json-diff': ^0.5.1 - '@types/jsonwebtoken': ^8.5.2 + '@types/jsonwebtoken': ^9.0.0 '@types/localtunnel': ^1.9.0 '@types/lodash.get': ^4.4.6 '@types/lodash.intersection': ^4.4.7 @@ -167,7 +168,7 @@ importers: ioredis: ^5.2.4 json-diff: ^0.5.4 jsonschema: ^1.4.1 - jsonwebtoken: ^8.5.1 + jsonwebtoken: 9.0.0 jwks-rsa: ~1.12.1 localtunnel: ^2.0.0 lodash.get: ^4.4.2 @@ -259,7 +260,7 @@ importers: ioredis: 5.2.4 json-diff: 0.5.5 jsonschema: 1.4.1 - jsonwebtoken: 8.5.1 + jsonwebtoken: 9.0.0 jwks-rsa: 1.12.3 localtunnel: 2.0.2 lodash.get: 4.4.2 @@ -321,7 +322,7 @@ importers: '@types/cookie-parser': 1.4.3 '@types/express': 4.17.14 '@types/json-diff': 0.5.2 - '@types/jsonwebtoken': 8.5.9 + '@types/jsonwebtoken': 9.0.0 '@types/localtunnel': 1.9.0 '@types/lodash.get': 4.4.7 '@types/lodash.intersection': 4.4.7 @@ -713,7 +714,7 @@ importers: '@types/gm': ^1.18.2 '@types/imap-simple': ^4.2.0 '@types/js-nacl': ^1.3.0 - '@types/jsonwebtoken': ^8.5.2 + '@types/jsonwebtoken': ^9.0.0 '@types/lodash.set': ^4.3.6 '@types/lossless-json': ^1.0.0 '@types/mailparser': ^2.7.3 @@ -753,7 +754,7 @@ importers: isbot: ^3.3.4 iso-639-1: ^2.1.3 js-nacl: ^1.4.0 - jsonwebtoken: ^8.5.1 + jsonwebtoken: 9.0.0 kafkajs: ^1.14.0 lodash.get: ^4.4.2 lodash.set: ^4.3.2 @@ -813,7 +814,7 @@ importers: isbot: 3.6.1 iso-639-1: 2.1.15 js-nacl: 1.4.0 - jsonwebtoken: 8.5.1 + jsonwebtoken: 9.0.0 kafkajs: 1.16.0 lodash.get: 4.4.2 lodash.set: 4.3.2 @@ -860,7 +861,7 @@ importers: '@types/formidable': 1.2.5 '@types/gm': 1.18.12 '@types/imap-simple': 4.2.5 - '@types/jsonwebtoken': 8.5.9 + '@types/jsonwebtoken': 9.0.0 '@types/lodash.set': 4.3.7 '@types/lossless-json': 1.0.1 '@types/mailparser': 2.7.4 @@ -1193,7 +1194,7 @@ packages: engines: {node: 10 || 12 || 14 || 16 || 18} dependencies: '@azure/msal-common': 7.6.0 - jsonwebtoken: 8.5.1 + jsonwebtoken: 9.0.0 uuid: 8.3.2 dev: false @@ -5856,8 +5857,8 @@ packages: resolution: {integrity: sha512-v7qlPA0VpKUlEdhghbDqRoKMxFB3h3Ch688TApBJ6v+XLDdvWCGLJIYiPKGZnS6MAOie+IorCfNYVHOPIHSWwQ==} dev: true - /@types/jsonwebtoken/8.5.9: - resolution: {integrity: sha512-272FMnFGzAVMGtu9tkr29hRL6bZj4Zs1KZNeHLnKqAvp06tAIcarTMwOh8/8bz4FmKRcMxZhZNeUAQsNLoiPhg==} + /@types/jsonwebtoken/9.0.0: + resolution: {integrity: sha512-mM4TkDpA9oixqg1Fv2vVpOFyIVLJjm5x4k0V+K/rEsizfjD7Tk7LKk3GTtbB7KCfP0FEHQtsZqFxYA0+sijNVg==} dependencies: '@types/node': 16.11.65 dev: true @@ -6093,7 +6094,7 @@ packages: resolution: {integrity: sha512-qRQ4qlww1Yhs3IaioDKrsDNmKy6gLDLgFsGwpCnc2YqWovO2Oxu9yCQdWHMJafQ7UIuOba4C4/TNXcGkQfEjlQ==} dependencies: '@types/express': 4.17.14 - '@types/jsonwebtoken': 8.5.9 + '@types/jsonwebtoken': 9.0.0 '@types/passport-strategy': 0.2.35 dev: true @@ -14770,20 +14771,14 @@ packages: resolution: {integrity: sha512-S6cATIPVv1z0IlxdN+zUk5EPjkGCdnhN4wVSBlvoUO1tOLJootbo9CquNJmbIh4yikWHiUedhRYrNPn1arpEmQ==} dev: false - /jsonwebtoken/8.5.1: - resolution: {integrity: sha512-XjwVfRS6jTMsqYs0EsuJ4LGxXV14zQybNd4L2r0UvbVnSF9Af8x7p5MzbJ90Ioz/9TI41/hTCvznF/loiSzn8w==} - engines: {node: '>=4', npm: '>=1.4.28'} + /jsonwebtoken/9.0.0: + resolution: {integrity: sha512-tuGfYXxkQGDPnLJ7SibiQgVgeDgfbPq2k2ICcbgqW8WxWLBAxKQM/ZCu/IT8SOSwmaYl4dpTFCW5xZv7YbbWUw==} + engines: {node: '>=12', npm: '>=6'} dependencies: jws: 3.2.2 - lodash.includes: 4.3.0 - lodash.isboolean: 3.0.3 - lodash.isinteger: 4.0.4 - lodash.isnumber: 3.0.3 - lodash.isplainobject: 4.0.6 - lodash.isstring: 4.0.1 - lodash.once: 4.1.1 + lodash: 4.17.21 ms: 2.1.3 - semver: 5.7.1 + semver: 7.3.8 dev: false /jsplumb/2.15.4: @@ -14850,7 +14845,7 @@ packages: debug: 4.3.4 http-proxy-agent: 4.0.1 https-proxy-agent: 5.0.1 - jsonwebtoken: 8.5.1 + jsonwebtoken: 9.0.0 limiter: 1.1.5 lru-memoizer: 2.1.4 ms: 2.1.3 @@ -15211,10 +15206,6 @@ packages: /lodash.get/4.4.2: resolution: {integrity: sha512-z+Uw/vLuy6gQe8cfaFWD7p0wVv8fJl3mbzXh33RS+0oW2wvUqiRXiQ69gLWSLpgB5/6sU+r6BlQR0MBILadqTQ==} - /lodash.includes/4.3.0: - resolution: {integrity: sha512-W3Bx6mdkRTGtlJISOvVD/lbqjTlPPUDTMnlXZFnVwi9NKJ6tiAk6LVdlhZMm17VZisqhKcgzpO5Wz91PCt5b0w==} - dev: false - /lodash.intersection/4.4.0: resolution: {integrity: sha512-N+L0cCfnqMv6mxXtSPeKt+IavbOBBSiAEkKyLasZ8BVcP9YXQgxLO12oPR8OyURwKV8l5vJKiE1M8aS70heuMg==} dev: false @@ -15223,25 +15214,9 @@ packages: resolution: {integrity: sha512-chi4NHZlZqZD18a0imDHnZPrDeBbTtVN7GXMwuGdRH9qotxAjYs3aVLKc7zNOG9eddR5Ksd8rvFEBc9SsggPpg==} dev: false - /lodash.isboolean/3.0.3: - resolution: {integrity: sha512-Bz5mupy2SVbPHURB98VAcw+aHh4vRV5IPNhILUCsOzRmsTmSQ17jIuqopAentWoehktxGd9e/hbIXq980/1QJg==} - dev: false - /lodash.isequal/4.5.0: resolution: {integrity: sha512-pDo3lu8Jhfjqls6GkMgpahsF9kCyayhgykjyLMNFTKWrpVdAQtYyB4muAMWozBB4ig/dtWAmsMxLEI8wuz+DYQ==} - /lodash.isinteger/4.0.4: - resolution: {integrity: sha512-DBwtEWN2caHQ9/imiNeEA5ys1JoRtRfY3d7V9wkqtbycnAmTvRRmbHKDV4a0EYc678/dia0jrte4tjYwVBaZUA==} - dev: false - - /lodash.isnumber/3.0.3: - resolution: {integrity: sha512-QYqzpfwO3/CWf3XP+Z+tkQsfaLL/EnUlXWVkIk5FUPc4sBdTehEqZONuyRt2P67PXAk+NXmTBcc97zw9t1FQrw==} - dev: false - - /lodash.isplainobject/4.0.6: - resolution: {integrity: sha512-oSXzaWypCMHkPC3NvBEaPHf0KsA5mvPrOPgQWDsbg8n7orZ290M0BmC/jgRZ4vcJ6DTAhjrsSYgdsW/F+MFOBA==} - dev: false - /lodash.isstring/4.0.1: resolution: {integrity: sha512-0wJxfxH1wgO3GrbuP+dTTk7op+6L41QCXbGINEmD+ny/G/eCqGzxyCsh7159S+mgDDcoarnBw6PC1PS5+wUGgw==} dev: false @@ -15263,6 +15238,7 @@ packages: /lodash.once/4.1.1: resolution: {integrity: sha512-Sb487aTOCr9drQVL8pIxOzVhafOjZN9UU54hiN8PU3uAiSV7lx1yYNpbNmex2PK6dSJoNTSJUUswT651yww3Mg==} + dev: true /lodash.orderby/4.6.0: resolution: {integrity: sha512-T0rZxKmghOOf5YPnn8EY5iLYeWCpZq8G41FfqoVHH5QDTAFaghJRmAdLiadEDq+ztgM2q5PjA+Z1fOwGrLgmtg==} @@ -17037,7 +17013,7 @@ packages: /passport-jwt/4.0.0: resolution: {integrity: sha512-BwC0n2GP/1hMVjR4QpnvqA61TxenUMlmfNjYNgK0ZAs0HK4SOQkHcSv4L328blNTLtHq7DbmvyNJiH+bn6C5Mg==} dependencies: - jsonwebtoken: 8.5.1 + jsonwebtoken: 9.0.0 passport-strategy: 1.0.0 dev: false @@ -19404,7 +19380,7 @@ packages: extend: 3.0.2 generic-pool: 3.9.0 glob: 7.2.3 - jsonwebtoken: 8.5.1 + jsonwebtoken: 9.0.0 mime-types: 2.1.35 mkdirp: 1.0.4 mock-require: 3.0.3