Skip to content

Commit

Permalink
fix(security): fix vulnerabilities in deps
Browse files Browse the repository at this point in the history
  • Loading branch information
awlayton committed Jan 13, 2023
1 parent ef4967a commit 3191215
Show file tree
Hide file tree
Showing 16 changed files with 2,021 additions and 1,666 deletions.
3 changes: 3 additions & 0 deletions .eslintignore
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
dist
bundle.*
.test
coverage
.pnp.*
.yarn
15 changes: 9 additions & 6 deletions .eslintrc.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
root: true

extends:
- 'plugin:@typescript-eslint/recommended'
- plugin:node/recommended
- plugin:github/recommended
- plugin:promise/recommended
Expand All @@ -16,6 +17,7 @@ extends:
- prettier

plugins:
- '@typescript-eslint'
- node
- github
- promise
Expand All @@ -35,18 +37,18 @@ parser: '@typescript-eslint/parser'

parserOptions:
ecmaVersion: 2020
project: './**/tsconfig.*'
project: './**/tsconfig*.json'

overrides:
- files: '*.ts'
- files: '*.{c,m,}ts'
extends:
- plugin:github/typescript
- plugin:import/typescript
- xo-typescript
- prettier
parserOptions:
ecmaVersion: 2020
project: './**/tsconfig.*'
project: './**/tsconfig*.json'
rules:
'@typescript-eslint/naming-convention':
[
Expand Down Expand Up @@ -88,14 +90,15 @@ overrides:
argsIgnorePattern: '^_',
},
]
'@typescript-eslint/consistent-type-definitions': [warn, interface]

rules:
notice/notice:
- error
- template: |
/**
* @license
* Copyright <%= YEAR %> Open Ag Data Alliance
* Copyright <%= YEAR %> Qlever LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand All @@ -113,16 +116,16 @@ rules:
nonMatchingTolerance: 0.7
sonarjs/no-duplicate-string: [warn, 5]
sonarjs/cognitive-complexity: warn
eslint-comments/no-unused-disable: off
import/extensions: off
node/no-unpublished-import: off
spaced-comment: [error, always, markers: [/, //]]
filenames/match-regex: off
unicorn/filename-case: off
i18n-text/no-en: off
eslint-comments/no-use: off
no-secrets/no-secrets: error
no-secrets/no-secrets: [error, { tolerance: 5 }]
no-empty-label: off
no-return-await: off
no-warning-comments: off
node/no-missing-import: off
import/no-unresolved: off
Expand Down
211 changes: 103 additions & 108 deletions .yarn/plugins/@yarnpkg/plugin-interactive-tools.cjs

Large diffs are not rendered by default.

786 changes: 0 additions & 786 deletions .yarn/releases/yarn-3.2.1.cjs

This file was deleted.

823 changes: 823 additions & 0 deletions .yarn/releases/yarn-3.3.1.cjs

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion .yarnrc.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,4 +6,4 @@ plugins:
- path: .yarn/plugins/@yarnpkg/plugin-interactive-tools.cjs
spec: "@yarnpkg/plugin-interactive-tools"

yarnPath: .yarn/releases/yarn-3.2.1.cjs
yarnPath: .yarn/releases/yarn-3.3.1.cjs
2 changes: 1 addition & 1 deletion karma.conf.js
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
* limitations under the License.
*/

/* eslint-disable unicorn/prevent-abbreviations, import/no-commonjs, unicorn/prefer-module */
/* eslint-disable unicorn/prevent-abbreviations, import/no-commonjs, unicorn/prefer-module, @typescript-eslint/no-var-requires */

const webpack = require('webpack');
const puppeteer = require('puppeteer');
Expand Down
78 changes: 39 additions & 39 deletions package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "jwt-bearer-client-auth",
"version": "2.0.2",
"version": "2.0.3",
"description": "Create and verify JWT bearer client assertions from the OAuth-JWT-bearer RFC",
"main": "dist/index.js",
"files": [
Expand Down Expand Up @@ -80,86 +80,86 @@
"@oada/certs": "^4.1.1",
"jsonwebtoken": "^8.5.1",
"pem-jwk": "^2.0.0",
"tslib": "^2.4.0"
"tslib": "^2.4.1"
},
"devDependencies": {
"@commitlint/cli": "^17.0.3",
"@commitlint/config-conventional": "^17.0.3",
"@commitlint/cli": "^17.4.2",
"@commitlint/config-conventional": "^17.4.2",
"@tsconfig/node12": "^1.0.11",
"@types/chai": "^4.3.1",
"@types/chai": "^4.3.4",
"@types/chai-as-promised": "^7.1.5",
"@types/events": "^3.0.0",
"@types/jsonwebtoken": "^8.5.8",
"@types/jsonwebtoken": "^8.5.9",
"@types/jws": "^3.2.4",
"@types/karma-chrome-launcher": "^3.1.1",
"@types/mocha": "^9.1.1",
"@types/node": "12.20.55",
"@types/mocha": "^10.0.1",
"@types/node": "^12.20.55",
"@types/node-jose": "^1.1.10",
"@types/pem-jwk": "^2.0.0",
"@types/prettier": "^2.6.3",
"@types/source-map-support": "^0.5.4",
"@typescript-eslint/eslint-plugin": "^5.30.6",
"@typescript-eslint/parser": "^5.30.6",
"@yarnpkg/sdks": "^3.0.0-rc.12",
"@types/prettier": "^2.7.2",
"@types/source-map-support": "^0.5.6",
"@typescript-eslint/eslint-plugin": "^5.48.1",
"@typescript-eslint/parser": "^5.48.1",
"@yarnpkg/sdks": "^3.0.0-rc.35",
"assert": "^2.0.0",
"brfs": "^2.0.2",
"browserify": "^17.0.0",
"buffer": "^6.0.3",
"c8": "^7.11.3",
"chai": "^4.3.6",
"c8": "^7.12.0",
"chai": "^4.3.7",
"chai-as-promised": "^7.1.1",
"crypto-browserify": "^3.12.0",
"eslint": "^8.19.0",
"eslint-config-prettier": "^8.5.0",
"eslint-config-xo": "^0.41.0",
"eslint-config-xo-typescript": "^0.51.1",
"eslint": "^8.31.0",
"eslint-config-prettier": "^8.6.0",
"eslint-config-xo": "^0.43.1",
"eslint-config-xo-typescript": "^0.55.1",
"eslint-formatter-pretty": "^4.1.0",
"eslint-import-resolver-node": "^0.3.6",
"eslint-plugin-array-func": "^3.1.7",
"eslint-import-resolver-node": "^0.3.7",
"eslint-plugin-array-func": "^3.1.8",
"eslint-plugin-ava": "^13.2.0",
"eslint-plugin-eslint-comments": "^3.2.0",
"eslint-plugin-filenames": "^1.3.2",
"eslint-plugin-github": "^4.3.6",
"eslint-plugin-github": "^4.6.0",
"eslint-plugin-i18n-text": "^1.0.1",
"eslint-plugin-import": "^2.26.0",
"eslint-plugin-import": "^2.27.4",
"eslint-plugin-no-constructor-bind": "^2.0.4",
"eslint-plugin-no-only-tests": "^2.6.0",
"eslint-plugin-no-only-tests": "^3.1.0",
"eslint-plugin-no-secrets": "^0.8.9",
"eslint-plugin-node": "^11.1.0",
"eslint-plugin-notice": "^0.9.10",
"eslint-plugin-optimize-regex": "^1.2.1",
"eslint-plugin-prettier": "^4.2.1",
"eslint-plugin-promise": "^6.0.0",
"eslint-plugin-regexp": "^1.7.0",
"eslint-plugin-security": "^1.5.0",
"eslint-plugin-sonarjs": "^0.13.0",
"eslint-plugin-unicorn": "^43.0.1",
"eslint-plugin-promise": "^6.1.1",
"eslint-plugin-regexp": "^1.12.0",
"eslint-plugin-security": "^1.6.0",
"eslint-plugin-sonarjs": "^0.18.0",
"eslint-plugin-unicorn": "^45.0.2",
"events": "^3.3.0",
"jws": "^4.0.0",
"karma": "^6.4.0",
"karma": "^6.4.1",
"karma-browserify": "^8.1.0",
"karma-chrome-launcher": "^3.1.1",
"karma-firefox-launcher": "^2.1.2",
"karma-mocha": "^2.0.1",
"karma-mocha-reporter": "^2.2.5",
"karma-vivaldi-launcher": "^0.0.1",
"karma-webpack": "^5.0.0",
"mocha": "^10.0.0",
"mocha": "^10.2.0",
"os-browserify": "^0.3.0",
"path-browserify": "^1.0.1",
"prettier": "^2.7.1",
"prettier": "^2.8.2",
"process": "^0.11.10",
"puppeteer": "^15.4.0",
"puppeteer": "^19.5.2",
"stream-browserify": "^3.0.0",
"string_decoder": "^1.3.0",
"superagent": "^8.0.0",
"superagent": "^8.0.6",
"transform-loader": "^0.2.4",
"ts-loader": "^9.3.1",
"ts-loader": "^9.4.2",
"ts-node": "^10.9.1",
"typescript": "^4.7.4",
"typescript": "4.8.3",
"url": "^0.11.0",
"util": "^0.12.4",
"webpack": "^5.73.0"
"util": "^0.12.5",
"webpack": "^5.75.0"
},
"packageManager": "yarn@3.2.1"
"packageManager": "yarn@3.3.1"
}
4 changes: 2 additions & 2 deletions src/generate.ts
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,8 @@
* limitations under the License.
*/

import { RSA_JWK, jwk2pem } from 'pem-jwk';
import { SignOptions, sign } from 'jsonwebtoken';
import { type RSA_JWK, jwk2pem } from 'pem-jwk';
import { type SignOptions, sign } from 'jsonwebtoken';

import { jwksUtils as jwks } from '@oada/certs';

Expand Down
23 changes: 18 additions & 5 deletions src/verify.ts
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
* limitations under the License.
*/

import { RSA_JWK, jwk2pem } from 'pem-jwk';
import { type RSA_JWK, jwk2pem } from 'pem-jwk';
import { verify as jwtVerify } from 'jsonwebtoken';

import { jwksUtils as jwks } from '@oada/certs';
Expand All @@ -39,12 +39,25 @@ export async function verify({
const jwk = await jwks.jwkForSignature(token, hint);
const key = jwk.kty === 'PEM' ? jwk.pem : jwk2pem(jwk as RSA_JWK);

const verifyOptions = {
const jwtPayload = jwtVerify(token, key, {
issuer,
audience: tokenEndpoint,
};

const jwtPayload = jwtVerify(token, key, verifyOptions);
// HACK: Avoid vulnerability CVE-2022-23540, CVE-2022-23529
algorithms: [
'HS256',
'HS384',
'HS512',
'RS256',
'RS384',
'RS512',
'ES256',
'ES384',
'ES512',
'PS256',
'PS384',
'PS512',
],
});
if (typeof jwtPayload === 'string') {
throw new TypeError(`Failed to parse payload: ${jwtPayload}`);
}
Expand Down
4 changes: 2 additions & 2 deletions test/generate.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -40,15 +40,15 @@ describe('generate', () => {
const privatePem = {
kid: 'abc123',
kty: 'PEM',
// eslint-disable-next-line prefer-template, security/detect-non-literal-fs-filename
// eslint-disable-next-line prefer-template
pem: fs.readFileSync(__dirname + '/keys/abc123.private.pem').toString(),
} as const;
// eslint-disable-next-line @typescript-eslint/consistent-type-assertions
const privateJwk = { ...pem2jwk(privatePem.pem), kid: 'abc123' } as JWK;
const publicPem = {
kid: 'abc123',
kty: 'PEM',
// eslint-disable-next-line prefer-template, security/detect-non-literal-fs-filename
// eslint-disable-next-line prefer-template
pem: fs.readFileSync(__dirname + '/keys/abc123.public.pem').toString(),
} as const;
const expiresIn = 123;
Expand Down
38 changes: 25 additions & 13 deletions test/keys/abc123.private.pem
Original file line number Diff line number Diff line change
@@ -1,15 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDfn1nKQshOSj8xw44oC2klFWSNLmK3BnHONCJ1bZfq0EQ5gIfg
tlvB+Px8Ya+VS3OnK7Cdi4iU1fxO9ktN6c6TjmmmFevk8wIwqLthmCSF3r+3+h4e
ddj7hucMsXWv05QUrCPoL6YUUz7Cgpz7ra24rpAmK5z7lsV+f3BEvXkrUQIDAQAB
AoGAC0G3QGI6OQ6tvbCNYGCqq043YI/8MiBl7C5dqbGZmx1ewdJBhMNJPStuckhs
kURaDwk4+8VBW9SlvcfSJJrnZhgFMjOYSSsBtPGBIMIdM5eSKbenCCjO8Tg0BUh/
xa3CHST1W4RQ5rFXadZ9AeNtaGcWj2acmXNO3DVETXAX3x0CQQD13LrBTEDR44ei
lQ/4TlCMPO5bytd1pAxHnrqgMnWovSIPSShAAH1feFugH7ZGu7RoBO7pYNb6N3ia
C1idc7yjAkEA6Nfc6c8meTRkVRAHCF24LB5GLfsjoMB0tOeEO9w9Ous1a4o+D24b
AePMUImAp3woFoNDRfWtlNktOqLel5PjewJBAN9kBoA5o6/Rl9zeqdsIdWFmv4DB
5lEqlEnC7HlAP+3oo3jWFO9KQqArQL1V8w2D4aCd0uJULiC9pCP7aTHvBhcCQQDb
W0mOp436T6ZaELBfbFNulNLOzLLi5YzNRPLppfG1SRNZjbIrvTIKVL4N/YxLvQbT
NrQw+2OdQACBJiEHsdZzAkBcsTk7frTH4yGx0VfHxXDPjfTj4wmD6gZIlcIr9lZg
4H8UZcVFN95vEKxJiLRjAmj6g273pu9kK4ymXNEjWWJn
MIIEowIBAAKCAQEAvBzUtsU+kAgVk1k/Dnd3bnfg3madmQQ09UjquDEV7irmzUXo
7sEt9FTpnwvtGiyXk09Lqjq+ihjOvO8BfSnbvGTdVSqNeWDNgRp8p6leh6jNL4MF
j3jdfVp+KVhB2uTHIh3jf589pzSd12aKLtWnegcmJGysNtSCQJYFMVM7USkr8pcF
hlZKby1a+tov76EQ1nMySUvbW8DTWhgQe8U7Qx9ABHn9BzyPlvifbSCE1//cx2OF
q+Xo64ZBhCtY3UbOJBonirMK/n7jUk2f+50aveEw/k/4XxtID8+sV+74hdfVuoZq
QO++YufFABlhMtqJEQewhjNxRUewgT9iMdYzoQIDAQABAoIBAAFNaI9St/E9Y5Cp
VfjtKyauJPwC6pSOFKOwG2JjsuV6+S2UUU5eb/pGV15Nyj0xCI70UjurXXMoypJl
ZF05HszwIrFlVAyEiS0JSrH7U+a37KJqjWdf3U0WhSLaMQdK9zJES+YXg75/lu03
7IAvIO2jVPw/hr7yVy7mxCO5HkxHIsq/hvD6M74MIz9AR5TREP0ZXdte6V1RWgtM
GlK7FrjwvDf77FYoUzaCpH7Imk8/fYt5Wp1SHn/+cIUPu5mLzZy97UR/SDKQWtlh
VWQQbAndobLlyV2U4ynIaw8Icvc3OECZ+4T1wL/v4IeJlySeywYpTZDG0Ctudlne
z1aI7BsCgYEA/VchVa1idWNC2qzTPHsfPevktvKPPiG4tdKrUT5CHz9AuDFM9Ovs
8FF+niulm4hY8TIgNLINkxsl5WgM6LDaABvHKQfUbyDKHr/9Vw/We3ErH5WsfG0X
Yp+0CPJTzMATHKm+ukEkyx6UuCWkz0+0J7fetFK38rYv9ykABa+xj0cCgYEAvhZl
imEWB9F7Ns5r++d0MP2sXniLfWht834SpgaQyL0ShaVXfQMez6hEQToXFszX1zKj
b5l5+Qhw8Tu4L7J23wAUtjA9XZTvTk5DtL3HLqjZS1Em4Bk0mhaKvbocdGGLeXOt
re+gZVfuyfaH2jb04J1yDkA+0bipZbxXxe1XqdcCgYEAqcoCglyA93G+NbbMn+VY
q/R0RhTM4fRRyjJWNU4HnM+UvZ31GNUh6HKF7NYN2O6JxaU1pnuK04PHYzfYJv+Y
K6hyU1J3Er+kFvXPgdEQi4zuPO3gO0gV+zhTvgdDGJ/Gb1hohoXwdd2aCMzZ50Ng
15nIvYwO0rE99mVZKXZ2BzMCgYBieffg2KsxIbVTj10iA6aOOt0xlAGv1oofuxCu
MniPhmQyGJZajWNI8UNrB00u4rBvLCy/hCNMgLMCRo4FJ8+td71DJXqlIKNZTfKF
kEvAQHlSK5iYQHaf3U3DPMfBA0feg69WjO3rksKCntWClzYFp4uPFnl07NXVft16
DJt9wQKBgC1mE77hq32PpLbOoWS501m52ANrWbPShoaL3RV0nqhg1I1BBSiFH1MZ
zNROtgX+ST1wiRKqcXo20IDgyJ7GJG3p+HNSFGu+TiJz3gyACXqSimqumvMHq6fM
UEEdN6k2fPO08Tmmvq72I090ZzyzqDwag1YUgiVIs+L5kInxNC04
-----END RSA PRIVATE KEY-----
14 changes: 9 additions & 5 deletions test/keys/abc123.public.pem
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
-----BEGIN RSA PUBLIC KEY-----
MIGJAoGBAN+fWcpCyE5KPzHDjigLaSUVZI0uYrcGcc40InVtl+rQRDmAh+C2W8H4
/Hxhr5VLc6crsJ2LiJTV/E72S03pzpOOaaYV6+TzAjCou2GYJIXev7f6Hh512PuG
5wyxda/TlBSsI+gvphRTPsKCnPutrbiukCYrnPuWxX5/cES9eStRAgMBAAE=
-----END RSA PUBLIC KEY-----
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvBzUtsU+kAgVk1k/Dnd3
bnfg3madmQQ09UjquDEV7irmzUXo7sEt9FTpnwvtGiyXk09Lqjq+ihjOvO8BfSnb
vGTdVSqNeWDNgRp8p6leh6jNL4MFj3jdfVp+KVhB2uTHIh3jf589pzSd12aKLtWn
egcmJGysNtSCQJYFMVM7USkr8pcFhlZKby1a+tov76EQ1nMySUvbW8DTWhgQe8U7
Qx9ABHn9BzyPlvifbSCE1//cx2OFq+Xo64ZBhCtY3UbOJBonirMK/n7jUk2f+50a
veEw/k/4XxtID8+sV+74hdfVuoZqQO++YufFABlhMtqJEQewhjNxRUewgT9iMdYz
oQIDAQAB
-----END PUBLIC KEY-----
4 changes: 2 additions & 2 deletions test/verify.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -39,13 +39,13 @@ describe('verify', () => {
const privatePem = {
kid: 'abc123',
kty: 'PEM',
// eslint-disable-next-line prefer-template, security/detect-non-literal-fs-filename
// eslint-disable-next-line prefer-template
pem: fs.readFileSync(__dirname + '/keys/abc123.private.pem').toString(),
} as const;
const publicPem = {
kid: 'abc123',
kty: 'PEM',
// eslint-disable-next-line prefer-template, security/detect-non-literal-fs-filename
// eslint-disable-next-line prefer-template
pem: fs.readFileSync(__dirname + '/keys/abc123.public.pem').toString(),
} as const;
// eslint-disable-next-line @typescript-eslint/consistent-type-assertions
Expand Down
9 changes: 8 additions & 1 deletion tsconfig.eslint.json
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,13 @@
"noEmit": true,
"allowJs": true
},
"include": ["**/*.ts", "**/*.js"],
"include": [
"**/*.ts",
"**/*.js",
"**/*.cjs",
"**/*.mjs",
"**/*.cts",
"**/*.mts"
],
"exclude": []
}
Loading

0 comments on commit 3191215

Please sign in to comment.