Unmarshalling with encoding/json doesn't handle duplicates #1

New Issue

jaiden · 2021-11-08T13:37:36Z

aydinmercan commented

2021-11-08 13:37:36 +00:00

(Migrated from github.com)

Consider the following JWK:

{
    "use": "sig",
    "kid": "foobar",
    "alg": "EdDSA",
    "kty": "OKP",
    "crv": "Ed25519",
    "n": KEY_1,
    "n": KEY_2
}

When unmarhsalled into a struct that has the field "n", we will get KEY_1 and not an error during the process.

Is This A Security Issue?

Probably not? Public keys should be fetched over TLS, QUIC etc. and obviously intercepted secure connections and/or unreliable authorities are something this library cannot, should not and would not do. However, considering how other libraries act this is a surefire way to cough up some vulns.

So This Behavior Can Stay?

No. This is still something to be fixed as this currently makes dumb-jose accept invalid JSON.

Consider the following JWK: ```json { "use": "sig", "kid": "foobar", "alg": "EdDSA", "kty": "OKP", "crv": "Ed25519", "n": KEY_1, "n": KEY_2 } ``` When unmarhsalled into a struct that has the field "n", we will get `KEY_1` and not an error during the process. ## Is This A Security Issue? Probably not? Public keys should be fetched over TLS, QUIC etc. and obviously intercepted secure connections and/or unreliable authorities are something this library cannot, should not and would not do. However, considering how other libraries act this is a surefire way to cough up some vulns. ## So This Behavior Can Stay? No. This is still something to be fixed as this currently makes dumb-jose accept invalid JSON.

jaiden added a new dependency 2021-12-06 16:34:14 +00:00

#2 Move MACs to Project Goals

jaiden removed a dependency 2021-12-06 16:34:20 +00:00

#2 Move MACs to Project Goals

Sign in to join this conversation.