From 5fd3fada33040cdf27f7ec6b870b67a20d63ce00 Mon Sep 17 00:00:00 2001 From: Hasan Turken Date: Tue, 27 Jul 2021 10:57:22 +0300 Subject: [PATCH] Migrate to golang-jwt v3.2.1 Fix for https://github.com/advisories/GHSA-w73w-5m7g-f7qc Signed-off-by: Hasan Turken --- cmd/upbound-agent/main.go | 2 +- go.mod | 2 +- go.sum | 2 ++ internal/controllers/billing/aws/aws.go | 2 +- internal/upboundagent/internal/upboundapi.go | 2 +- internal/upboundagent/proxy.go | 2 +- internal/upboundagent/proxy_test.go | 2 +- 7 files changed, 8 insertions(+), 6 deletions(-) diff --git a/cmd/upbound-agent/main.go b/cmd/upbound-agent/main.go index 1744d2c1..8942457b 100644 --- a/cmd/upbound-agent/main.go +++ b/cmd/upbound-agent/main.go @@ -24,7 +24,7 @@ import ( "strings" "github.com/alecthomas/kong" - "github.com/dgrijalva/jwt-go" + "github.com/golang-jwt/jwt" "github.com/google/uuid" "github.com/pkg/errors" corev1 "k8s.io/api/core/v1" diff --git a/go.mod b/go.mod index 01553a83..8d453f51 100644 --- a/go.mod +++ b/go.mod @@ -8,8 +8,8 @@ require ( github.com/aws/aws-sdk-go-v2/config v1.1.4 github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.2.1 github.com/crossplane/crossplane-runtime v0.13.1-0.20210504165942-53874539b310 - github.com/dgrijalva/jwt-go v3.2.0+incompatible github.com/go-resty/resty/v2 v2.5.0 + github.com/golang-jwt/jwt v3.2.1+incompatible github.com/golang/mock v1.5.0 github.com/google/addlicense v0.0.0-20210428195630-6d92264d7170 github.com/google/go-cmp v0.5.5 diff --git a/go.sum b/go.sum index 54c18137..0b3a565b 100644 --- a/go.sum +++ b/go.sum @@ -218,6 +218,8 @@ github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zV github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls= github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= +github.com/golang-jwt/jwt v3.2.1+incompatible h1:73Z+4BJcrTC+KczS6WvTPvRGOp1WmfEP4Q1lOd9Z/+c= +github.com/golang-jwt/jwt v3.2.1+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= diff --git a/internal/controllers/billing/aws/aws.go b/internal/controllers/billing/aws/aws.go index 21ed56eb..4531e7fd 100644 --- a/internal/controllers/billing/aws/aws.go +++ b/internal/controllers/billing/aws/aws.go @@ -21,7 +21,7 @@ import ( "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/marketplacemetering" - "github.com/dgrijalva/jwt-go" + "github.com/golang-jwt/jwt" "github.com/pkg/errors" v1 "k8s.io/api/core/v1" "sigs.k8s.io/controller-runtime/pkg/client" diff --git a/internal/upboundagent/internal/upboundapi.go b/internal/upboundagent/internal/upboundapi.go index 87d3c1e8..7b999fd1 100644 --- a/internal/upboundagent/internal/upboundapi.go +++ b/internal/upboundagent/internal/upboundapi.go @@ -14,7 +14,7 @@ package internal -import "github.com/dgrijalva/jwt-go" +import "github.com/golang-jwt/jwt" // CrossplaneAccessor is the struct holding accessor info in JWT custom claims type CrossplaneAccessor struct { diff --git a/internal/upboundagent/proxy.go b/internal/upboundagent/proxy.go index c8d2a0dc..ce60789f 100644 --- a/internal/upboundagent/proxy.go +++ b/internal/upboundagent/proxy.go @@ -28,7 +28,7 @@ import ( "syscall" "time" - "github.com/dgrijalva/jwt-go" + "github.com/golang-jwt/jwt" "github.com/google/uuid" "github.com/labstack/echo-contrib/jaegertracing" "github.com/labstack/echo-contrib/prometheus" diff --git a/internal/upboundagent/proxy_test.go b/internal/upboundagent/proxy_test.go index 83a9877d..accf60e3 100644 --- a/internal/upboundagent/proxy_test.go +++ b/internal/upboundagent/proxy_test.go @@ -25,7 +25,7 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/logging" - "github.com/dgrijalva/jwt-go" + "github.com/golang-jwt/jwt" "github.com/google/go-cmp/cmp" "github.com/labstack/echo/v4" "github.com/pkg/errors"