This repository has been archived by the owner on May 21, 2022. It is now read-only.
This repository has been archived by the owner on May 21, 2022. It is now read-only.
Panic seen when parsing invalid 'exp' claim attribute #479
Open
Description
in version 4.0.0 of library, I noticed in my tests there was panic seen when parsing the 'exp' claim attribute, it appears from code the validation of parsed value did not check for error and dereferenced causing it to panic.
claim values used for testing
{ "iss": "87190e4d-db7a", "sub": "714a4cfc-9ba7", "aud": "5GCORE", "scope": "somescope", "exp": "not/an/actual/date" }
algorithm: RS256
File time.go
// UnmarshalJSON implements the json package's Unmarshaler interface
func (t *Time) UnmarshalJSON(data []byte) error {
var value json.Number
err := json.Unmarshal(data, &value)
if err != nil {
return err
}
v, err := ParseTime(value)
*t = *v <== dereference causing panic
return err
}
Panic:
/usr/lib/go/src/runtime/panic.go:679 +0x1b2 github.com/dgrijalva/jwt-go/v4.(*Time).UnmarshalJSON(0xc0001a5700, 0xc000160468, 0x14, 0x15, 0x7f6c4451afd8, 0xc0001a5700)
/root/go/pkg/mod/github.com/dgrijalva/jwt-go/[email protected]/time.go:70 +0xc4 encoding/json.(*decodeState).literalStore(0xc0002efb80, 0xc000160468, 0x14, 0x15, 0xc07c00, 0xc0001943a8, 0x196, 0x0, 0xbd, 0xc0002efba8)
/usr/lib/go/src/encoding/json/decode.go:918 +0x2b7b
Metadata
Assignees
Labels
No labels
Activity