Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Move away from github.com/dgrijalva/jwt-go as JWT library #5181

Closed
jannfis opened this issue Jan 5, 2021 · 4 comments
Closed

Move away from github.com/dgrijalva/jwt-go as JWT library #5181

jannfis opened this issue Jan 5, 2021 · 4 comments
Labels
enhancement New feature or request type:tech-debt Enhancement invisible for the end user
Milestone

Comments

@jannfis
Copy link
Member

jannfis commented Jan 5, 2021

Summary

The github.com/dgrijalva/jwt-go seems to be abandoned and not maintained any more, but contains a security vulnerability marked as high. See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26160

The remediation says to update to 4.0.0-preview1, but from our research, this version does not contain any fix for the specified issue.

There is a fork at github.com/form3tech-oss/jwt-go which includes a correct fix. This seems to be the only code change so far: dgrijalva/jwt-go@master...form3tech-oss:master

Motivation

Provide a secure JWT implementation within Argo CD.

Proposal

  • Move temporarily to a fork of github.com/dgrijalva/jwt-go that provides a correct fix for the issue
  • Evaluate migration to another JWT library, that is better maintained (or, maintained at all)
  • If decision has been made to migrate to another library, refactor our code to make use of it
@jannfis jannfis added the enhancement New feature or request label Jan 5, 2021
@jannfis jannfis changed the title Move away from github,com/dgrijalva/jwt-go as JWT library Move away from github.com/dgrijalva/jwt-go as JWT library Jan 5, 2021
@jannfis
Copy link
Member Author

jannfis commented Jan 5, 2021

OK, so the research was probably wrong. The fix is in another branch - release_4_0_0 - not in master. So we can upgrade to 4.0.0-preview1 instead of to the fork. Also, my initial tests showed that the fork doesn't handle single aud claims in tokens, only two or more.

@jessesuen jessesuen added the type:tech-debt Enhancement invisible for the end user label Jan 6, 2021
@jannfis
Copy link
Member Author

jannfis commented Jul 7, 2021

The successor to this is apparently https://github.com/golang-jwt/jwt, according to dgrijalva/jwt-go#462 and the update of the README in jwt-go repository.

@jannfis jannfis added this to the v2.2 milestone Jul 7, 2021
@alexmt alexmt modified the milestones: v2.2, v2.3 Dec 8, 2021
@alexmt
Copy link
Collaborator

alexmt commented Jan 18, 2022

@jannfis we can close this, right?

@jannfis
Copy link
Member Author

jannfis commented Jan 18, 2022

Oh nice. I forgot about this one totally :)

Closing. Was implemented by #8136

@jannfis jannfis closed this as completed Jan 18, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request type:tech-debt Enhancement invisible for the end user
Projects
None yet
Development

No branches or pull requests

3 participants