add safechecks for string and json parsing

postmanlabs · Oct 9, 2023 · 356f0bb · 356f0bb
1 parent e425e08
commit 356f0bb
Showing 1 changed file with 13 additions and 2 deletions.
diff --git a/lib/authorizer/asap.js b/lib/authorizer/asap.js
@@ -161,7 +161,7 @@ module.exports = {
             jwtTokenId = claims.jti || uuid.v4(),
             issuedAt = claims.iat,
             expiry = params.exp || DEFAULT_EXPIRY,
-            privateKey = params.privateKey && removeNewlines(params.privateKey),
+            privateKey = params.privateKey,
             kid = params.kid,
 
             // Atlassian's internal tool for generating keys uses RS256 by default
@@ -170,8 +170,14 @@ module.exports = {
         if (typeof claims === 'string') {
             const trimmedClaims = claims.trim();
 
-            claims = trimmedClaims && JSON.parse(trimmedClaims);
+            try {
+                claims = trimmedClaims && JSON.parse(trimmedClaims);
+            }
+            catch (err) {
+                return done(new Error('Failed to parse claims'));
+            }
         }
+
         // Validation
         if (!kid || !issuer || !audience || !jwtTokenId || !privateKey || !kid) {
             return done(new Error('One or more of required claims missing'));
@@ -181,7 +187,12 @@ module.exports = {
             return done(new Error('invalid algorithm'));
         }
 
+        if (typeof privateKey !== 'string') {
+            return done(new Error('privateKey must be a string'));
+        }
+
         try {
+            privateKey = removeNewlines(privateKey);
             privateKey = parsePrivateKey(kid, privateKey);
         }
         catch (err) {