From 6d8c3863518bbad0cc625c8f69871d0ec12360f6 Mon Sep 17 00:00:00 2001
From: Jared Perreault <jared.perreault@okta.com>
Date: Mon, 3 Jun 2024 17:50:50 -0400
Subject: [PATCH] CVE-2024-34273

---
 CHANGELOG.md    | 4 ++++
 index.d.ts      | 5 ++---
 index.js        | 9 ++++-----
 test/exports.js | 2 +-
 4 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6c4d201..2efe756 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # nJwt Change Log
 
+### 2.0.1
+
+* [#107](https://github.com/jwtk/njwt/pull/107) Freeze `prototype` of all classes to prevent prototype pollution vuln ([CVE-2024-34273](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-34273))
+
 ### 2.0.0
 
 * [#98](https://github.com/jwtk/njwt/pull/98) Bumps jsonwebtoken version, drop Node < 12 from engines
diff --git a/index.d.ts b/index.d.ts
index 0ef8a4a..c74bcb2 100644
--- a/index.d.ts
+++ b/index.d.ts
@@ -61,12 +61,11 @@ export declare class JwtBody {
   toJSON(): JSONMap;
   compact(): string;
 }
-export declare function JwtHeader(header: JwtHeaderOptions): JwtHeader;
+export declare function JwtHeader(header: JwtHeaderOptions, enforceDefaultFields?: boolean): JwtHeader;
 export declare class JwtHeader {
-  constructor(header: JwtHeaderOptions);
+  constructor(header: JwtHeaderOptions, enforceDefaultFields?: boolean);
     typ: string;
     alg: string;
-    reservedKeys: string[];
     compact(): string;
 }
 
diff --git a/index.js b/index.js
index 14a38fb..ebe97cd 100644
--- a/index.js
+++ b/index.js
@@ -114,14 +114,13 @@ JwtBody.prototype.compact = function compact(){
 };
 
 var reservedHeaderKeys = ['typ','alg'];
-function JwtHeader(header, ignoreDefaults){
+function JwtHeader(header, enforceDefaultFields){
   if(!(this instanceof JwtHeader)){
     return new JwtHeader(header);
   }
-  var self = this;
   this.typ = header && header.typ;
   this.alg = header && header.alg;
-  if (!ignoreDefaults) {
+  if (enforceDefaultFields !== false) {
     this.typ = this.typ || 'JWT';
     this.alg = this.alg || 'HS256';
   }
@@ -319,7 +318,7 @@ Parser.prototype.parse = function parse(jwtString,cb){
   jwt.setSigningAlgorithm(header.alg);
   jwt.signature = signature;
   jwt.verificationInput = segments[0] +'.' + segments[1];
-  jwt.header = new JwtHeader(header, true);
+  jwt.header = new JwtHeader(header, false);
   return done(null,jwt);
 };
 
@@ -421,7 +420,7 @@ Verifier.prototype.verify = function verify(jwtString,cb){
     //   return jwtString;
     // };
 
-    newJwt.header = new JwtHeader(header, true);
+    newJwt.header = new JwtHeader(header, false);
 
     if (!verified) {
       return done(new JwtParseError(properties.errors.SIGNATURE_MISMTACH,jwtString,header,body));
diff --git a/test/exports.js b/test/exports.js
index 435ddb7..c5638fb 100644
--- a/test/exports.js
+++ b/test/exports.js
@@ -22,7 +22,7 @@ describe('njwt module exports',function () {
       2IiwKICAgICJfX3Byb3RvX18iOiB7CiAgICAgICJjb21wYWN0IjogbnVsbCwKICAgICAgInJlc2VydmVkS2V5cyI6IFsKICAgICAgICAidHlwIiwKICAgICAgICAicmF
       uZG9tX2dpYmJlcmlzaCIKICAgICAgXQogICAgfQogIH0KfQ.ewogICJzdWIiOiAxLAogICJzY29wZSI6ICJ1c2VyIiwKICAianRpIjogImJhZmIxNmNlLTIwZDYtNGNk
       Ny05NDgzLTY1YTA5NThhOGU2NCIsCiAgImlhdCI6IDI1Mzc0Nzg1MDYsCiAgImV4cCI6IDI1Mzc0Nzg1MDYsCiAgIl9fcHJvdG9fXyI6IHsKICAgICJjb21wYWN0Ijog
-      bnVsbCwKICAgICJ0b0pTT04iOiBudWxsLAogICAgInBvbGx1dGVkIjogdHJ1ZQogIH0KfQ`.replaceAll(/\s/g, '');
+      bnVsbCwKICAgICJ0b0pTT04iOiBudWxsLAogICAgInBvbGx1dGVkIjogdHJ1ZQogIH0KfQ`.replace(/\s/g, '');
 
       assert.isOk(nJwt.JwtBody.prototype.hasOwnProperty('toJSON'))
       assert.isOk(nJwt.JwtBody.prototype.hasOwnProperty('compact'))