diff options
| author | Stan Hu <stanhu@gmail.com> | 2018-12-29 06:20:04 -0800 |
|---|---|---|
| committer | Stan Hu <stanhu@gmail.com> | 2018-12-29 06:20:04 -0800 |
| commit | 34f51dee0d336487a3fac0946eb198bb5996368b (patch) | |
| tree | 2c6748d6cd68dc9c49225fb5936969cc2876595a | |
| parent | ae8724ff227f7cc80f10c605cecfbd5c4f63922a (diff) | |
| download | gitlab-ce-34f51dee0d336487a3fac0946eb198bb5996368b.tar.gz | |
Set the JWT algorithm to RS256 in decode specs
By default, the JWT decode only allows HS256 mode (HMAC using SHA-256
hash algorithm). The specs using RSA tokens failed per
https://github.com/jwt/ruby-jwt#algorithms-and-usage:
It is strongly recommended that you hard code the algorithm, as you may
leave yourself vulnerable by dynamically picking the algorithm.
| -rw-r--r-- | spec/lib/json_web_token/rsa_token_spec.rb | 4 | ||||
| -rw-r--r-- | spec/services/auth/container_registry_authentication_service_spec.rb | 2 |
2 files changed, 3 insertions, 3 deletions
diff --git a/spec/lib/json_web_token/rsa_token_spec.rb b/spec/lib/json_web_token/rsa_token_spec.rb index d6edc964844..a3c54651e80 100644 --- a/spec/lib/json_web_token/rsa_token_spec.rb +++ b/spec/lib/json_web_token/rsa_token_spec.rb @@ -25,7 +25,7 @@ describe JSONWebToken::RSAToken do rsa_token['key'] = 'value' end - subject { JWT.decode(rsa_encoded, rsa_key) } + subject { JWT.decode(rsa_encoded, rsa_key, true, { algorithm: 'RS256' }) } it { expect {subject}.not_to raise_error } it { expect(subject.first).to include('key' => 'value') } @@ -39,7 +39,7 @@ describe JSONWebToken::RSAToken do context 'for invalid key to raise an exception' do let(:new_key) { OpenSSL::PKey::RSA.generate(512) } - subject { JWT.decode(rsa_encoded, new_key) } + subject { JWT.decode(rsa_encoded, new_key, true, { algorithm: 'RS256' }) } it { expect {subject}.to raise_error(JWT::DecodeError) } end diff --git a/spec/services/auth/container_registry_authentication_service_spec.rb b/spec/services/auth/container_registry_authentication_service_spec.rb index f2e9799452a..8021bd338e0 100644 --- a/spec/services/auth/container_registry_authentication_service_spec.rb +++ b/spec/services/auth/container_registry_authentication_service_spec.rb @@ -5,7 +5,7 @@ describe Auth::ContainerRegistryAuthenticationService do let(:current_user) { nil } let(:current_params) { {} } let(:rsa_key) { OpenSSL::PKey::RSA.generate(512) } - let(:payload) { JWT.decode(subject[:token], rsa_key).first } + let(:payload) { JWT.decode(subject[:token], rsa_key, true, { algorithm: 'RS256' }).first } let(:authentication_abilities) do [:read_container_image, :create_container_image, :admin_container_image] |