Bump PyJWT version due to "Key confusion through non-blocklisted public key formats" vulnerability

This commit is contained in:
allegroai 2022-05-25 16:50:19 +03:00
parent 08a7bc7c9f
commit 9b108740da
4 changed files with 27 additions and 17 deletions

View File

@ -64,7 +64,7 @@ class AuthBLL:
feature_set="basic",
)
return GetTokenResponse(token=token.decode("ascii"))
return GetTokenResponse(token=token)
@staticmethod
def create_user(request: CreateUserRequest, call: APICall = None) -> str:

View File

@ -188,7 +188,7 @@ class Scroll(jsonmodels.models.Base):
key=config.get(
"services.events.events_retrieval.scroll_id_key", "1234567890"
),
).decode()
)
@classmethod
def from_scroll_id(cls, scroll_id: str):
@ -199,6 +199,7 @@ class Scroll(jsonmodels.models.Base):
key=config.get(
"services.events.events_retrieval.scroll_id_key", "1234567890"
),
algorithms=["HS256"],
)
)
except jwt.PyJWTError:

View File

@ -21,7 +21,7 @@ nested_dict>=1.61
packaging==20.3
psutil>=5.6.5
pyhocon>=0.3.35
pyjwt<2.0.0
pyjwt>=2.4.0
pymongo[srv]==3.12.0
python-rapidjson>=0.6.3
redis==3.5.3
@ -31,4 +31,4 @@ requests>=2.13.0
semantic_version>=2.8.3,<3
six
tqdm
validators>=0.12.4
validators>=0.12.4

View File

@ -9,22 +9,25 @@ from apiserver.database.model.auth import Role
from .auth_type import AuthType
from .payload import Payload
token_secret = config.get('secure.auth.token_secret')
token_secret = config.get("secure.auth.token_secret")
log = config.logger(__file__)
class Token(Payload):
default_expiration_sec = config.get('apiserver.auth.default_expiration_sec')
default_expiration_sec = config.get("apiserver.auth.default_expiration_sec")
def __init__(self, exp=None, iat=None, nbf=None, env=None, identity=None, entities=None, **_):
def __init__(
self, exp=None, iat=None, nbf=None, env=None, identity=None, entities=None, **_
):
super(Token, self).__init__(
AuthType.bearer_token, identity=identity, entities=entities)
AuthType.bearer_token, identity=identity, entities=entities
)
self.exp = exp
self.iat = iat
self.nbf = nbf
self._env = env or config.get('env', '<unknown>')
self._env = env or config.get("env", "<unknown>")
@property
def env(self):
@ -65,7 +68,12 @@ class Token(Payload):
@classmethod
def decode(cls, encoded_token, verify=True):
return jwt.decode(encoded_token, token_secret, verify=verify)
options = (
{"verify_signature": False, "verify_exp": True} if not verify else None
)
return jwt.decode(
encoded_token, token_secret, algorithms=["HS256"], options=options
)
@classmethod
def from_encoded_token(cls, encoded_token, verify=True):
@ -74,23 +82,24 @@ class Token(Payload):
token = Token.from_dict(decoded)
assert isinstance(token, Token)
if not token.identity:
raise errors.unauthorized.InvalidToken('token missing identity')
raise errors.unauthorized.InvalidToken("token missing identity")
return token
except Exception as e:
raise errors.unauthorized.InvalidToken('failed parsing token, %s' % e.args[0])
raise errors.unauthorized.InvalidToken(
"failed parsing token, %s" % e.args[0]
)
@classmethod
def create_encoded_token(cls, identity, expiration_sec=None, entities=None, **extra_payload):
def create_encoded_token(
cls, identity, expiration_sec=None, entities=None, **extra_payload
):
if identity.role not in (Role.system,):
# limit expiration time for all roles but an internal service
expiration_sec = expiration_sec or cls.default_expiration_sec
now = datetime.utcnow()
token = cls(
identity=identity,
entities=entities,
iat=now)
token = cls(identity=identity, entities=entities, iat=now)
if expiration_sec:
# add 'expiration' claim