jgaunt/CyberChef
2
0
Fork 0
mirror of https://github.com/gchq/CyberChef synced 2026-01-08 03:23:34 +00:00
Code Issues Releases Wiki Activity

Merge pull request #1753 from chriswhite199/jsonwebtoken-vuln

Browse Source
This commit is contained in:
a3957273
2024-03-29 00:56:17 +00:00
committed by GitHub
parent 6fd00e2598 ef5ff5bec6
commit 6edf731d46
3 changed files with 40 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/core/operations/JWTSign.mjs
View File

@@ -50,7 +50,12 @@ class JWTSign extends Operation {
try {
return jwt.sign(input, key, {
algorithm: algorithm === "None" ? "none" : algorithm
algorithm: algorithm === "None" ? "none" : algorithm,
// To utilize jsonwebtoken 9+ library and maintain backwards compatibility for regression tests
// This could be turned into operation args in a future PR
allowInsecureKeySizes: true,
allowInvalidAsymmetricKeyTypes: true
});
} catch (err) {
throw new OperationError(`Error: Have you entered the key correctly? The key should be either the secret for HMAC algorithms or the PEM-encoded private key for RSA and ECDSA.