Migrate to golang-jwt v3.2.1 #166
Conversation
Fix for GHSA-w73w-5m7g-f7qc Signed-off-by: Hasan Turken <[email protected]>
turkenh
force-pushed
the
migrate-to-golang-jwt
branch
from
b9c290c to
5fd3fad
Compare
| @@ -28,7 +28,7 @@ import ( | |||
| "syscall" | |||
| "time" | |||
|
|
|||
| "github.com/dgrijalva/jwt-go" | |||
| "github.com/golang-jwt/jwt" | |||
There was a problem hiding this comment.
We still refer to the old library (https://github.com/dgrijalva) in a comment at line 438) in this file in the context of a previous fix. Because it's about clock skew, so I would expect that issue to be also relevant with the new library but I have not put thought into it. Just writing here so that we do not overlook it.
There was a problem hiding this comment.
This should be ok. We already fixed that problem on our end and the issue is referenced just to set the context.
| @@ -218,6 +218,8 @@ github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zV | |||
| github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= | |||
| github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls= | |||
| github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= | |||
| github.com/golang-jwt/jwt v3.2.1+incompatible h1:73Z+4BJcrTC+KczS6WvTPvRGOp1WmfEP4Q1lOd9Z/+c= | |||
There was a problem hiding this comment.
Why is github.com/dgrijalva/jwt-go still not removed from go.sum? Is it still an indirect dependency? If so, it may still pose a security threat.
There was a problem hiding this comment.
Hmm, good point, let me check.
There was a problem hiding this comment.
This comes as an indirect dependency from labstack/echo library:
go mod why github.com/dgrijalva/jwt-go
# github.com/dgrijalva/jwt-go
github.com/upbound/universal-crossplane/internal/upboundagent
github.com/labstack/echo/v4/middleware
github.com/dgrijalva/jwt-go
Unfortunately, that library does not have a version including a fix rather they claim not to be effected by the issue: labstack/echo#1916 (comment)
Opened another draft PR with replace however, it is failing with another issue during go mod tidy: #167
Not sure how to proceed here yet.
There was a problem hiding this comment.
My understanding from that comment is that we are safe in this situation because labstack/echo claims no optional audience verification by default. However, we had better keep an eye on v5 of labstack/echo where they will get rid of the unmaintained github.com/dgrijalva/jwt-go dependency.
Because labstack/echo is the only consumer of github.com/dgrijalva/jwt-go and because they claim no optional audience verification by default, I think we are good to go.
And we had better get rid of the direct dependency asap.
There was a problem hiding this comment.
And if somewhere, we were ourselves doing an optional audience verification using the vulnerable library (github.com/dgrijalva/jwt-go), then it would have been our direct dependency.
There was a problem hiding this comment.
@negz, @daren-eth, we may keep an eye on labstack/echo and github.com/dgrijalva/jwt-go as I had previously observed that we depend on them elsewhere, e.g., upbound-api.
There was a problem hiding this comment.
Thanks @turkenh for the investigation.
There was a problem hiding this comment.
Created this issue to track indirect dependencies: #168
|
Successfully created backport PR #169 for |
Description of your changes
Migrate to golang-jwt v3.2.1 as advised in the description of the security issue CVE-2020-26160.
Fixes GHSA-w73w-5m7g-f7qc
I have:
make reviewableto ensure this PR is ready for review.backport release-x.ylabels to auto-backport this PR, as appropriate.How has this code been tested
make e2e.runand verify that validation passes.