From b0ca2f3c1bc4f540979bab0d79b03ad1bf39674a Mon Sep 17 00:00:00 2001 From: Ayan George Date: Tue, 3 Nov 2020 16:16:11 -0500 Subject: [PATCH 1/2] fix: Upgrade version of jwt-go package to v4.0.0 Address CVE-2020-26160 for the jwt-go package. --- go.mod | 2 +- go.sum | 4 +++- services/httpd/handler.go | 2 +- services/httpd/handler_test.go | 2 +- 4 files changed, 6 insertions(+), 4 deletions(-) diff --git a/go.mod b/go.mod index 1ebcdfd7b93..39ed5e7e111 100644 --- a/go.mod +++ b/go.mod @@ -10,7 +10,7 @@ require ( github.com/boltdb/bolt v1.3.1 github.com/cespare/xxhash v1.1.0 github.com/davecgh/go-spew v1.1.1 - github.com/dgrijalva/jwt-go v3.2.0+incompatible + github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1 github.com/dgryski/go-bitstream v0.0.0-20180413035011-3522498ce2c8 github.com/gogo/protobuf v1.3.1 github.com/golang/snappy v0.0.1 diff --git a/go.sum b/go.sum index 692f169a289..df3a6fb6d6e 100644 --- a/go.sum +++ b/go.sum @@ -133,6 +133,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM= github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= +github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1 h1:CaO/zOnF8VvUfEbhRatPcwKVWamvbYd8tQGRWacE9kU= +github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1/go.mod h1:+hnT3ywWDTAFrW5aE+u2Sa/wT555ZqwoCS+pk3p6ry4= github.com/dgryski/go-bitstream v0.0.0-20180413035011-3522498ce2c8 h1:akOQj8IVgoeFfBTzGOEQakCYshWD6RNo1M5pivFXt70= github.com/dgryski/go-bitstream v0.0.0-20180413035011-3522498ce2c8/go.mod h1:VMaSuZ+SZcx/wljOQKvp5srsbCiKDEb6K2wC4+PiBmQ= github.com/dgryski/go-sip13 v0.0.0-20190329191031-25c5027a8c7b/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= @@ -388,7 +390,6 @@ github.com/influxdata/flux v0.65.0 h1:57tk1Oo4gpGIDbV12vUAPCMtLtThhaXzub1XRIuqv6 github.com/influxdata/flux v0.65.0/go.mod h1:BwN2XG2lMszOoquQaFdPET8FRQfrXiZsWmcMO9rkaVY= github.com/influxdata/influxdb v1.8.0/go.mod h1:SIzcnsjaHRFpmlxpJ4S3NT64qtEKYweNTUMb/vh0OMQ= github.com/influxdata/influxdb1-client v0.0.0-20191209144304-8bf82d3c094d/go.mod h1:qj24IKcXYK6Iy9ceXlo3Tc+vtHo9lIhSX5JddghvEPo= -github.com/influxdata/influxql v1.1.0 h1:sPsaumLFRPMwR5QtD3Up54HXpNND8Eu7G1vQFmi3quQ= github.com/influxdata/influxql v1.1.0/go.mod h1:KpVI7okXjK6PRi3Z5B+mtKZli+R1DnZgb3N+tzevNgo= github.com/influxdata/influxql v1.1.1-0.20200828144457-65d3ef77d385 h1:ED4e5Cc3z5vSN2Tz2GkOHN7vs4Sxe2yds6CXvDnvZFE= github.com/influxdata/influxql v1.1.1-0.20200828144457-65d3ef77d385/go.mod h1:gHp9y86a/pxhjJ+zMjNXiQAA197Xk9wLxaz+fGG+kWk= @@ -663,6 +664,7 @@ github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijb github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= github.com/vektah/gqlparser v1.1.2/go.mod h1:1ycwN7Ij5njmMkPPAOaRFY4rET2Enx7IkVv3vaXspKw= github.com/willf/bitset v1.1.3/go.mod h1:RjeCKbqT1RxIR/KWY6phxZiaY1IyutSBfGjNPySAYV4= +github.com/willf/bitset v1.1.9 h1:GBtFynGY9ZWZmEC9sWuu41/7VBXPFCOAbCbqTflOg9c= github.com/willf/bitset v1.1.9/go.mod h1:RjeCKbqT1RxIR/KWY6phxZiaY1IyutSBfGjNPySAYV4= github.com/xdg/scram v0.0.0-20180814205039-7eeb5667e42c/go.mod h1:lB8K/P019DLNhemzwFU4jHLhdvlE6uDZjXFejJXr49I= github.com/xdg/stringprep v0.0.0-20180714160509-73f8eece6fdc/go.mod h1:Jhud4/sHMO4oL310DaZAKk9ZaJ08SJfe+sJh0HrGL1Y= diff --git a/services/httpd/handler.go b/services/httpd/handler.go index 85d98598849..ca9ee4f13ac 100644 --- a/services/httpd/handler.go +++ b/services/httpd/handler.go @@ -23,7 +23,7 @@ import ( httppprof "net/http/pprof" "github.com/bmizerany/pat" - "github.com/dgrijalva/jwt-go" + "github.com/dgrijalva/jwt-go/v4" "github.com/gogo/protobuf/proto" "github.com/golang/snappy" "github.com/influxdata/flux" diff --git a/services/httpd/handler_test.go b/services/httpd/handler_test.go index 7efb501d6d1..d98cddcb202 100644 --- a/services/httpd/handler_test.go +++ b/services/httpd/handler_test.go @@ -21,7 +21,7 @@ import ( "testing" "time" - "github.com/dgrijalva/jwt-go" + "github.com/dgrijalva/jwt-go/v4" "github.com/gogo/protobuf/proto" "github.com/golang/snappy" "github.com/google/go-cmp/cmp" From f864136774f61965ed889dbec487aa19915df97f Mon Sep 17 00:00:00 2001 From: Ayan George Date: Thu, 5 Nov 2020 10:31:14 -0500 Subject: [PATCH 2/2] fix: Update tests to reflect new error messages Prior to this commit, the TestHandler_Query_Auth() tests would fail as it checked for specific error strigns returned by the jwt-go package. Version 4.0.0-preview1 of the package changed the verbiage of those errors a bit. This patch updates the test to detect the new error string. --- services/httpd/handler_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/httpd/handler_test.go b/services/httpd/handler_test.go index d98cddcb202..3fe61355490 100644 --- a/services/httpd/handler_test.go +++ b/services/httpd/handler_test.go @@ -196,7 +196,7 @@ func TestHandler_Query_Auth(t *testing.T) { h.ServeHTTP(w, req) if w.Code != http.StatusUnauthorized { t.Fatalf("unexpected status: %d: %s", w.Code, w.Body.String()) - } else if body := strings.TrimSpace(w.Body.String()); body != `{"error":"signature is invalid"}` { + } else if body := strings.TrimSpace(w.Body.String()); body != `{"error":"token signature is invalid"}` { t.Fatalf("unexpected body: %s", body) } @@ -220,7 +220,7 @@ func TestHandler_Query_Auth(t *testing.T) { h.ServeHTTP(w, req) if w.Code != http.StatusUnauthorized { t.Fatalf("unexpected status: %d: %s", w.Code, w.Body.String()) - } else if !strings.Contains(w.Body.String(), `{"error":"Token is expired`) { + } else if !strings.Contains(w.Body.String(), `{"error":"token is expired`) { t.Fatalf("unexpected body: %s", w.Body.String()) }