diff --git a/CHANGELOG.md b/CHANGELOG.md index 6c4d201..2efe756 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ # nJwt Change Log +### 2.0.1 + +* [#107](https://github.com/jwtk/njwt/pull/107) Freeze `prototype` of all classes to prevent prototype pollution vuln ([CVE-2024-34273](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-34273)) + ### 2.0.0 * [#98](https://github.com/jwtk/njwt/pull/98) Bumps jsonwebtoken version, drop Node < 12 from engines diff --git a/index.d.ts b/index.d.ts index 0ef8a4a..c74bcb2 100644 --- a/index.d.ts +++ b/index.d.ts @@ -61,12 +61,11 @@ export declare class JwtBody { toJSON(): JSONMap; compact(): string; } -export declare function JwtHeader(header: JwtHeaderOptions): JwtHeader; +export declare function JwtHeader(header: JwtHeaderOptions, enforceDefaultFields?: boolean): JwtHeader; export declare class JwtHeader { - constructor(header: JwtHeaderOptions); + constructor(header: JwtHeaderOptions, enforceDefaultFields?: boolean); typ: string; alg: string; - reservedKeys: string[]; compact(): string; } diff --git a/index.js b/index.js index 14a38fb..66064a9 100644 --- a/index.js +++ b/index.js @@ -114,14 +114,13 @@ JwtBody.prototype.compact = function compact(){ }; var reservedHeaderKeys = ['typ','alg']; -function JwtHeader(header, ignoreDefaults){ +function JwtHeader(header, enforceDefaultFields){ if(!(this instanceof JwtHeader)){ return new JwtHeader(header); } - var self = this; this.typ = header && header.typ; this.alg = header && header.alg; - if (!ignoreDefaults) { + if (enforceDefaultFields !== false) { this.typ = this.typ || 'JWT'; this.alg = this.alg || 'HS256'; } @@ -263,9 +262,6 @@ Jwt.prototype.compact = function compact() { }; Jwt.prototype.toString = function(){ - if (this.__originalString) { - return this.__originalString; - } return this.compact(); }; @@ -319,7 +315,7 @@ Parser.prototype.parse = function parse(jwtString,cb){ jwt.setSigningAlgorithm(header.alg); jwt.signature = signature; jwt.verificationInput = segments[0] +'.' + segments[1]; - jwt.header = new JwtHeader(header, true); + jwt.header = new JwtHeader(header, false); return done(null,jwt); }; @@ -421,7 +417,7 @@ Verifier.prototype.verify = function verify(jwtString,cb){ // return jwtString; // }; - newJwt.header = new JwtHeader(header, true); + newJwt.header = new JwtHeader(header, false); if (!verified) { return done(new JwtParseError(properties.errors.SIGNATURE_MISMTACH,jwtString,header,body)); diff --git a/test/exports.js b/test/exports.js index 435ddb7..c5638fb 100644 --- a/test/exports.js +++ b/test/exports.js @@ -22,7 +22,7 @@ describe('njwt module exports',function () { 2IiwKICAgICJfX3Byb3RvX18iOiB7CiAgICAgICJjb21wYWN0IjogbnVsbCwKICAgICAgInJlc2VydmVkS2V5cyI6IFsKICAgICAgICAidHlwIiwKICAgICAgICAicmF uZG9tX2dpYmJlcmlzaCIKICAgICAgXQogICAgfQogIH0KfQ.ewogICJzdWIiOiAxLAogICJzY29wZSI6ICJ1c2VyIiwKICAianRpIjogImJhZmIxNmNlLTIwZDYtNGNk Ny05NDgzLTY1YTA5NThhOGU2NCIsCiAgImlhdCI6IDI1Mzc0Nzg1MDYsCiAgImV4cCI6IDI1Mzc0Nzg1MDYsCiAgIl9fcHJvdG9fXyI6IHsKICAgICJjb21wYWN0Ijog - bnVsbCwKICAgICJ0b0pTT04iOiBudWxsLAogICAgInBvbGx1dGVkIjogdHJ1ZQogIH0KfQ`.replaceAll(/\s/g, ''); + bnVsbCwKICAgICJ0b0pTT04iOiBudWxsLAogICAgInBvbGx1dGVkIjogdHJ1ZQogIH0KfQ`.replace(/\s/g, ''); assert.isOk(nJwt.JwtBody.prototype.hasOwnProperty('toJSON')) assert.isOk(nJwt.JwtBody.prototype.hasOwnProperty('compact')) diff --git a/test/verifier.js b/test/verifier.js index 904b00d..b826876 100644 --- a/test/verifier.js +++ b/test/verifier.js @@ -36,7 +36,6 @@ describe('Verifier().setSigningAlgorithm() ',function(){ describe('.verify()',function(){ it('should persist the original token to the toString() invocation',function(){ - // var token = 'eyJhbGciOiJub25lIn0.eyJzdWIiOiIxMjMifQ.p6bizskaJLAheVyRhQEMR-60PkH_jtLVYgMy1qTjCoc'; var token = 'eyJhbGciOiJub25lIn0.eyJzdWIiOiIxMjMifQ'; assert.equal(token,nJwt.verify(token).toString()); });