Merge pull request #1769 from gchq/revert-1753-jsonwebtoken-vuln

gchq · Apr 2, 2024 · dc8c185 · dc8c185
2 parents 9448106 + 99efcb5
commit dc8c185
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 40 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -135,7 +135,7 @@
     "jsesc": "^3.0.2",
     "json5": "^2.2.3",
     "jsonpath-plus": "^8.0.0",
-    "jsonwebtoken": "^9.0.0",
+    "jsonwebtoken": "8.5.1",
     "jsqr": "^1.4.0",
     "jsrsasign": "^11.1.0",
     "kbpgp": "2.1.15",

diff --git a/src/core/operations/JWTSign.mjs b/src/core/operations/JWTSign.mjs
@@ -50,12 +50,7 @@ class JWTSign extends Operation {
 
         try {
             return jwt.sign(input, key, {
-                algorithm: algorithm === "None" ? "none" : algorithm,
-
-                // To utilize jsonwebtoken 9+ library and maintain backwards compatibility for regression tests
-                // This could be turned into operation args in a future PR
-                allowInsecureKeySizes: true,
-                allowInvalidAsymmetricKeyTypes: true
+                algorithm: algorithm === "None" ? "none" : algorithm
             });
         } catch (err) {
             throw new OperationError(`Error: Have you entered the key correctly? The key should be either the secret for HMAC algorithms or the PEM-encoded private key for RSA and ECDSA.