Merge pull request #1753 from chriswhite199/jsonwebtoken-vuln

gchq · Mar 29, 2024 · 6edf731 · 6edf731
2 parents 6fd00e2 + ef5ff5b
commit 6edf731
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 13 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -134,7 +134,7 @@
     "jsesc": "^3.0.2",
     "json5": "^2.2.3",
     "jsonpath-plus": "^8.0.0",
-    "jsonwebtoken": "8.5.1",
+    "jsonwebtoken": "^9.0.0",
     "jsqr": "^1.4.0",
     "jsrsasign": "^11.1.0",
     "kbpgp": "2.1.15",

diff --git a/src/core/operations/JWTSign.mjs b/src/core/operations/JWTSign.mjs
@@ -50,7 +50,12 @@ class JWTSign extends Operation {
 
         try {
             return jwt.sign(input, key, {
-                algorithm: algorithm === "None" ? "none" : algorithm
+                algorithm: algorithm === "None" ? "none" : algorithm,
+
+                // To utilize jsonwebtoken 9+ library and maintain backwards compatibility for regression tests
+                // This could be turned into operation args in a future PR
+                allowInsecureKeySizes: true,
+                allowInvalidAsymmetricKeyTypes: true
             });
         } catch (err) {
             throw new OperationError(`Error: Have you entered the key correctly? The key should be either the secret for HMAC algorithms or the PEM-encoded private key for RSA and ECDSA.