From 1e800c040d5993cef7c600e1020d39f60d76d96b Mon Sep 17 00:00:00 2001 From: Oleksandr Pravosudko Date: Mon, 15 Nov 2021 15:28:56 +0200 Subject: [PATCH 1/2] chore: bump uuid dependency to 8.x and enforce minimal node version --- package.json | 5 ++++- test/algs.js | 10 +++++----- test/builder.js | 16 ++++++++-------- test/jwt.js | 18 +++++++++--------- test/key-resolver.js | 2 +- test/others.js | 16 ++++++++-------- test/verifier.js | 22 +++++++++++----------- yarn.lock | 5 +++++ 8 files changed, 51 insertions(+), 43 deletions(-) diff --git a/package.json b/package.json index 7e8a036..4b93d23 100644 --- a/package.json +++ b/package.json @@ -2,6 +2,9 @@ "name": "njwt", "version": "1.1.0", "description": "JWT Library for Node.js", + "engines": { + "node": ">=6.0" + }, "main": "index.js", "types": "index.d.ts", "scripts": { @@ -28,7 +31,7 @@ "dependencies": { "@types/node": "^15.0.1", "ecdsa-sig-formatter": "^1.0.5", - "uuid": "^3.3.2" + "uuid": "^8.3.2" }, "devDependencies": { "@typescript-eslint/eslint-plugin": "^4.22.0", diff --git a/test/algs.js b/test/algs.js index fec03e6..1d0bdbd 100644 --- a/test/algs.js +++ b/test/algs.js @@ -5,15 +5,15 @@ var fs = require('fs'); var path = require('path'); function itShouldBeAValidJwt(jwt){ - assert(nJwt.create({},uuid()) instanceof nJwt.Jwt); + assert(nJwt.create({},uuid.v4()) instanceof nJwt.Jwt); var nowUnix = Math.floor(new Date().getTime()/1000); - assert.equal(nJwt.create({},uuid()).body.iat , nowUnix); + assert.equal(nJwt.create({},uuid.v4()).body.iat , nowUnix); assert(jwt.body.jti.match(/[a-zA-Z0-9]+[-]/)); } function testHmacAlg(alg,done){ - var key = uuid(); - var claims = { hello: uuid(), debug: true }; + var key = uuid.v4(); + var claims = { hello: uuid.v4(), debug: true }; var jwt = nJwt.create(claims,key,alg); var token = jwt.compact(); @@ -27,7 +27,7 @@ function testHmacAlg(alg,done){ } function testKeyAlg(alg,keyPair,done){ - var claims = { hello: uuid(), debug: true }; + var claims = { hello: uuid.v4(), debug: true }; var jwt = nJwt.create(claims,keyPair.private,alg); var token = jwt.compact(); diff --git a/test/builder.js b/test/builder.js index 424109a..33437d4 100644 --- a/test/builder.js +++ b/test/builder.js @@ -27,7 +27,7 @@ describe('create()',function(){ }); it('should create a default token if the scret is the only value',function(){ - assert(nJwt.create(uuid()) instanceof nJwt.Jwt); + assert(nJwt.create(uuid.v4()) instanceof nJwt.Jwt); }); it('should throw if using defaults without a secret key',function(){ @@ -45,33 +45,33 @@ describe('create()',function(){ describe('with a signing key',function(){ it('should return a JWT',function(){ - assert(nJwt.create({},uuid()) instanceof nJwt.Jwt); + assert(nJwt.create({},uuid.v4()) instanceof nJwt.Jwt); }); it('should use HS256 by default',function(){ - assert.equal(nJwt.create({},uuid()).header.alg,'HS256'); + assert.equal(nJwt.create({},uuid.v4()).header.alg,'HS256'); }); it('should create the iat field',function(){ var nowUnix = Math.floor(new Date().getTime()/1000); - assert.equal(nJwt.create({},uuid()).body.iat , nowUnix); + assert.equal(nJwt.create({},uuid.v4()).body.iat , nowUnix); }); it('should not overwrite a defined iat field',function(){ - assert.equal(nJwt.create({iat: 1},uuid()).body.iat , 1); + assert.equal(nJwt.create({iat: 1},uuid.v4()).body.iat , 1); }); it('should create the exp field, defaulted to 1 hour',function(){ var oneHourFromNow = Math.floor(new Date().getTime()/1000) + (60*60); - assert.equal(nJwt.create({},uuid()).body.exp , oneHourFromNow); + assert.equal(nJwt.create({},uuid.v4()).body.exp , oneHourFromNow); }); it('should not overwrite a defined jti field',function(){ - assert.equal(nJwt.create({jti: 1},uuid()).body.jti , 1); + assert.equal(nJwt.create({jti: 1},uuid.v4()).body.jti , 1); }); it('should create the jti field',function(){ - var jwt = nJwt.create({},uuid()); + var jwt = nJwt.create({},uuid.v4()); assert(jwt.body.jti.match(/[a-zA-Z0-9]+[-]/)); }); diff --git a/test/jwt.js b/test/jwt.js index a33ff5c..3df242a 100644 --- a/test/jwt.js +++ b/test/jwt.js @@ -10,28 +10,28 @@ describe('Jwt',function() { describe('.setClaim()',function(){ it('should set a claim on the claims body',function(){ - var myClaim = uuid(); + var myClaim = uuid.v4(); assert.equal(nJwt.Jwt().setClaim('myClaim', myClaim).body.myClaim,myClaim); }); }); describe('.setHeader()',function(){ it('should set a header param on the header',function(){ - var kid = uuid(); + var kid = uuid.v4(); assert.equal(nJwt.Jwt().setHeader('kid', kid).header.kid,kid); }); }); describe('.setSubject()',function(){ it('should set the sub claim',function(){ - var sub = uuid(); + var sub = uuid.v4(); assert.equal(nJwt.Jwt().setSubject(sub).body.sub,sub); }); }); describe('.setIssuer()',function(){ it('should set the iss claim',function(){ - var iss = uuid(); + var iss = uuid.v4(); assert.equal(nJwt.Jwt().setIssuer(iss).body.iss,iss); }); }); @@ -52,9 +52,9 @@ describe('Jwt',function() { ); }); it('should allow me to remove the exp field',function(){ - var jwt = nJwt.create({},uuid()); + var jwt = nJwt.create({},uuid.v4()); var oneHourFromNow = Math.floor(new Date().getTime()/1000) + (60*60); - assert.equal(nJwt.create({},uuid()).body.exp , oneHourFromNow); + assert.equal(nJwt.create({},uuid.v4()).body.exp , oneHourFromNow); assert.equal(jwt.setExpiration().body.exp, undefined); assert.equal(jwt.setExpiration(false).body.exp, undefined); assert.equal(jwt.setExpiration(null).body.exp, undefined); @@ -79,9 +79,9 @@ describe('Jwt',function() { ); }); it('should allow me to remove the nbf field',function(){ - var jwt = nJwt.create({},uuid()); + var jwt = nJwt.create({},uuid.v4()); var oneHourFromNow = Math.floor(new Date().getTime()/1000) + (60*60); - assert.equal(nJwt.create({},uuid()).body.nbf , undefined); + assert.equal(nJwt.create({},uuid.v4()).body.nbf , undefined); assert.equal(jwt.setNotBefore().body.nbf, undefined); assert.equal(jwt.setNotBefore(false).body.nbf, undefined); assert.equal(jwt.setNotBefore(null).body.nbf, undefined); @@ -107,7 +107,7 @@ describe('Jwt',function() { }); describe('.toString()',function(){ it('should return the compacted JWT string',function(){ - var jwt = nJwt.create({},uuid()); + var jwt = nJwt.create({},uuid.v4()); assert.equal(jwt.compact(),jwt.toString()); }); }); diff --git a/test/key-resolver.js b/test/key-resolver.js index a9faf38..4e9e86f 100644 --- a/test/key-resolver.js +++ b/test/key-resolver.js @@ -41,7 +41,7 @@ describe('Verifier', function() { beforeEach(function() { callCount = 0; keyKid = '123'; - signingKey = uuid(); + signingKey = uuid.v4(); keyResolver = function(kid, cb) { callCount++; assert(kid === keyKid); diff --git a/test/others.js b/test/others.js index 4a10d36..7f6c28d 100644 --- a/test/others.js +++ b/test/others.js @@ -6,8 +6,8 @@ var jwtSimple = require('jwt-simple'); describe('this library',function () { it('should generate tokens that can be verified by jsonwebtoken',function(done){ - var key = uuid(); - var claims = {hello:uuid()}; + var key = uuid.v4(); + var claims = {hello:uuid.v4()}; var jwt = nJwt.create(claims,key); var token = jwt.compact(); assert.doesNotThrow(function(){ @@ -23,8 +23,8 @@ describe('this library',function () { }); it('should be able to verify tokens from jsonwebtoken',function(done){ - var claims = {hello:uuid()}; - var key = uuid(); + var claims = {hello:uuid.v4()}; + var key = uuid.v4(); var token = jsonwebtoken.sign(claims, key); nJwt.verify(token,key,function(err,jwt){ assert.isNull(err,'An unexpcted error was returned'); @@ -34,8 +34,8 @@ describe('this library',function () { }); it('should generate tokens that can be verified by jwt-simple',function(done){ - var key = uuid(); - var claims = {hello:uuid()}; + var key = uuid.v4(); + var claims = {hello:uuid.v4()}; var jwt = nJwt.create(claims,key); var token = jwt.compact(); var decoded; @@ -51,8 +51,8 @@ describe('this library',function () { }); it('should be able to verify tokens from jwt-simple',function(done){ - var claims = {hello:uuid()}; - var key = uuid(); + var claims = {hello:uuid.v4()}; + var key = uuid.v4(); var token = jwtSimple.encode(claims, key); nJwt.verify(token,key,function(err,jwt){ assert.isNull(err,'An unexpcted error was returned'); diff --git a/test/verifier.js b/test/verifier.js index 7d529a3..7fcbc5a 100644 --- a/test/verifier.js +++ b/test/verifier.js @@ -41,7 +41,7 @@ describe('.verify()',function(){ }); it('should not alter the JWT, it should be compact-able as the same token',function(){ - var orignalJwt = new nJwt.Jwt({hello: uuid()}, false).setSigningAlgorithm('none'); + var orignalJwt = new nJwt.Jwt({hello: uuid.v4()}, false).setSigningAlgorithm('none'); var originalToken = orignalJwt.compact(); var verifiedJwt = nJwt.verify(originalToken); assert.equal(originalToken, verifiedJwt.compact()); @@ -49,7 +49,7 @@ describe('.verify()',function(){ describe('if given only a token',function(){ it('should verify tokens that are alg none',function(){ - var claims = {hello: uuid()}; + var claims = {hello: uuid.v4()}; var token = new nJwt.Jwt(claims) .setSigningAlgorithm('none') .compact(); @@ -58,8 +58,8 @@ describe('.verify()',function(){ }); }); it('should reject tokens that specify an alg',function(){ - var claims = {hello: uuid()}; - var key = uuid(); + var claims = {hello: uuid.v4()}; + var key = uuid.v4(); var token = new nJwt.create(claims,key) .compact(); assert.throws(function(){ @@ -90,7 +90,7 @@ describe('.verify()',function(){ }); it('should give me the parsed header on the error object if the body fails',function(done){ - var header = nJwt.JwtHeader({typ:'JWT',alg:uuid()}); + var header = nJwt.JwtHeader({typ:'JWT',alg:uuid.v4()}); var invalidJwt = header.compact()+'.notavalidbody'; nJwt.verify(invalidJwt,function(err){ assert.equal(err.jwtString, invalidJwt); @@ -106,7 +106,7 @@ describe('Verifier().verify() ',function(){ it('should support sync usage',function(){ var verifier = new nJwt.Verifier() .setSigningAlgorithm('none'); - var claims = {hello: uuid()}; + var claims = {hello: uuid.v4()}; var token = new nJwt.Jwt(claims).compact(); var verifiedToken; assert.doesNotThrow(function(){ @@ -123,7 +123,7 @@ describe('Verifier().verify() ',function(){ }); it('should return the jwt string, header and body on error objects',function(done){ - var jwt = new nJwt.Jwt({expiredToken:uuid()}) + var jwt = new nJwt.Jwt({expiredToken:uuid.v4()}) .setExpiration(new Date().getTime()-1000); var token = jwt.compact(); nJwt.verify(token,function(err){ @@ -136,7 +136,7 @@ describe('Verifier().verify() ',function(){ }); it('should return the jwt string, header and body on error objects with not active message',function(done){ - var jwt = new nJwt.Jwt({notActiveToken:uuid()}) + var jwt = new nJwt.Jwt({notActiveToken:uuid.v4()}) .setNotBefore(new Date().getTime()+1000); var token = jwt.compact(); nJwt.verify(token,function(err){ @@ -149,7 +149,7 @@ describe('Verifier().verify() ',function(){ }); it('should return the jwt string, header and body with null error objects',function(done){ - var jwt = new nJwt.Jwt({notActiveToken:uuid()}); + var jwt = new nJwt.Jwt({notActiveToken:uuid.v4()}); var token = jwt.compact(); nJwt.verify(token,function(err){ assert.isNull(err); @@ -162,7 +162,7 @@ describe('Verifier().verify() ',function(){ var verifier = new nJwt.Verifier() .setSigningAlgorithm('none'); - var claims = {hello: uuid()}; + var claims = {hello: uuid.v4()}; describe('and given an unsigned token',function(){ var result; @@ -273,7 +273,7 @@ describe('Verifier().verify() ',function(){ .setSigningAlgorithm('HS256') .setSigningKey(key); - var claims = {hello:uuid()}; + var claims = {hello:uuid.v4()}; describe('and given a token that was signed with the same key',function(){ var result; diff --git a/yarn.lock b/yarn.lock index ef6fe7c..113ae79 100644 --- a/yarn.lock +++ b/yarn.lock @@ -2792,6 +2792,11 @@ uuid@^3.3.2: resolved "https://registry.yarnpkg.com/uuid/-/uuid-3.4.0.tgz#b23e4358afa8a202fe7a100af1f5f883f02007ee" integrity sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A== +uuid@^8.3.2: + version "8.3.2" + resolved "https://registry.yarnpkg.com/uuid/-/uuid-8.3.2.tgz#80d5b5ced271bb9af6c445f21a1a04c606cefbe2" + integrity sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg== + v8-compile-cache@^2.0.3: version "2.3.0" resolved "https://registry.yarnpkg.com/v8-compile-cache/-/v8-compile-cache-2.3.0.tgz#2de19618c66dc247dcfb6f99338035d8245a2cee" From 4913f46cbdd94850e9fecb48d89203fe9cab0cea Mon Sep 17 00:00:00 2001 From: Oleksandr Pravosudko Date: Mon, 15 Nov 2021 16:30:10 +0200 Subject: [PATCH 2/2] bump package version to 1.2.0 and add changelog entry --- CHANGELOG.md | 4 ++++ package.json | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8526470..f5f58ae 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ # nJwt Change Log +### 1.2.0 + +* [#84] (https://github.com/jwtk/njwt/pull/84) Resolves `uuid` vulnerability. + ### 1.1.0 * [#77](https://github.com/jwtk/njwt/pull/77) Adds TypeScript type definitions. diff --git a/package.json b/package.json index 4b93d23..de4bb4b 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "njwt", - "version": "1.1.0", + "version": "1.2.0", "description": "JWT Library for Node.js", "engines": { "node": ">=6.0"