vendor: github.com/go-jose/go-jose/v4 v4.0.5#5867
Conversation
- Don't allow unbounded amounts of splits. Fixes GHSA-c6gw-w398-hv78 / CVE-2025-27144 - Various other dependency updates, small fixes, and documentation updates in the full changelog full diff: go-jose/go-jose@v4.0.4...v4.0.5 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #5867 +/- ##
=======================================
Coverage 59.30% 59.30%
=======================================
Files 353 353
Lines 29694 29694
=======================================
Hits 17609 17609
Misses 11104 11104
Partials 981 981 |
| parts := strings.Split(input, ".") | ||
| if len(parts) != 5 { | ||
| // Five parts is four separators | ||
| if strings.Count(input, ".") != 4 { | ||
| return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts") | ||
| } | ||
| parts := strings.SplitN(input, ".", 5) |
There was a problem hiding this comment.
Changes look minimal, low-risk, although I'm not sure why they didn't use the SplitN result to get the number of components, but setting the limit to expected + 1 (and produce an error if not the expected number)
| } else { | ||
| err = fmt.Errorf("go-jose/go-jose: unknown curve %s'", raw.Crv) | ||
| return fmt.Errorf("go-jose/go-jose: unknown curve %s'", raw.Crv) | ||
| } | ||
| default: | ||
| err = fmt.Errorf("go-jose/go-jose: unknown json web key type '%s'", raw.Kty) | ||
| return fmt.Errorf("go-jose/go-jose: unknown json web key type '%s'", raw.Kty) | ||
| } | ||
|
|
||
| if err != nil { |
There was a problem hiding this comment.
Code flow here looks a bit dubious (naked return below); perhaps we should open a PR in upstream to clean this up
| parts := strings.Split(input, ".") | ||
| if len(parts) != 3 { | ||
| // Three parts is two separators | ||
| if strings.Count(input, ".") != 2 { | ||
| return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts") | ||
| } | ||
| parts := strings.SplitN(input, ".", 3) |
There was a problem hiding this comment.
Same / similar changes here
| **Disclaimer**: This library contains encryption software that is subject to | ||
| the U.S. Export Administration Regulations. You may not export, re-export, | ||
| transfer or download this code or any part of it in violation of any United | ||
| States law, directive or regulation. In particular this software may not be | ||
| exported or re-exported in any form or on any media to Iran, North Sudan, | ||
| Syria, Cuba, or North Korea, or to denied persons or entities mentioned on any | ||
| US maintained blocked list. | ||
|
|
There was a problem hiding this comment.
This one was surprising, but more context in the PR;
As an oepn source project, we can make this globally available.
Also, there's not really any encryption software in go-jose - that's all in golang's crypto libraries.
4 participants
full diff: go-jose/go-jose@v4.0.4...v4.0.5
- What I did
- How I did it
- How to verify it
- Human readable description for the release notes
- A picture of a cute animal (not mandatory but encouraged)