mirrors/CyberChef
1
0
Fork 0
mirror of https://github.com/gchq/CyberChef.git synced 2025-04-21 15:26:16 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #1753 from chriswhite199/jsonwebtoken-vuln

Browse source
This commit is contained in:
a3957273 2024-03-29 00:56:17 +00:00 committed by GitHub
commit 6edf731d46
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 40 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

7
src/core/operations/JWTSign.mjs
View file

@ -50,7 +50,12 @@ class JWTSign extends Operation {
try {
return jwt.sign(input, key, {
algorithm: algorithm === "None" ? "none" : algorithm
algorithm: algorithm === "None" ? "none" : algorithm,
// To utilize jsonwebtoken 9+ library and maintain backwards compatibility for regression tests
// This could be turned into operation args in a future PR
allowInsecureKeySizes: true,
allowInvalidAsymmetricKeyTypes: true
});
} catch (err) {
throw new OperationError(`Error: Have you entered the key correctly? The key should be either the secret for HMAC algorithms or the PEM-encoded private key for RSA and ECDSA.