jwt-go library vulnerability

[foolmacky]

Hello,

I'm using viper in our project in my company.
Recently, critical vulnerability has detected by 'Source Clear',
and I can't release updates.

The cause of this vulnerability is jwt-go library.
https://www.sourceclear.com/vulnerability-database/security/authorization-bypass/go/sid-27284

In jwt-go project the vulnerability is indicated on July, 2020.
But there is no action ?, and the issue was closed.
And some of users move away from unmaintained jwt-go project.
Sigh...

dgrijalva/jwt-go#422
dgrijalva/jwt-go#426
go-chi/jwtauth#50

Please let me know how you handle this matter in viper ?

Thanks.

[github-actions]

👋 Thanks for reporting!

A maintainer will take a look at your issue shortly. 👀

In the meantime: We are working on Viper v2 and we would love to hear your thoughts about what you like or don't like about Viper, so we can improve or fix those issues.

⏰ If you have a couple minutes, please take some time and share your thoughts: https://forms.gle/R6faU74qPRPAzchZ9

📣 If you've already given us your feedback, you can still help by spreading the news,
either by sharing the above link or telling people about this on Twitter:

https://twitter.com/sagikazarmark/status/1306904078967074816

Thank you! ❤️

[sagikazarmark]

Hi @foolmacky,

Looks like the jwt package is a dependency of github.com/coreos/etcd/auth. Currently Viper pulls in a ton of dependencies, because the etcd client package is embedded into the main project.

We are actually waiting for etcd-io/etcd#12204 to happen which will make things a whole lot easier.

Looking at the import graph, however, the aforementioned package will never be built into anything because of Viper:

❯ go mod why github.com/dgrijalva/jwt-go
# github.com/dgrijalva/jwt-go
github.com/spf13/viper/remote
github.com/bketelsen/crypt/config
github.com/bketelsen/crypt/backend/etcd
github.com/coreos/etcd/client
github.com/coreos/etcd/client.test
github.com/coreos/etcd/integration
github.com/coreos/etcd/etcdserver
github.com/coreos/etcd/auth
github.com/dgrijalva/jwt-go

As you can see, it's there because of a test dependency.

You can also verify this by running

❯ go list -deps ./... | grep jwt
golang.org/x/oauth2/jwt

The mentioned jwt library is not actually a dependency of Viper. So you can mark this issue as a false alert (if you can) in your system: you won't be affected by it because of Viper.

Hopefully, once etcd 3.5 is released, this issue will go away.

In the mean time, etcd still seems to rely on this library:

https://github.com/etcd-io/etcd/blob/ab4cc3caef3d6a1bb7c8c9e79749357eafef42df/go.mod#L11

It might be worth opening an issue there as well.

[foolmacky]

Hello @sagikazarmark

Thank you for explaining so clearly.
I now have a deeper understanding of the matter.

In 'Source Clear' web interface, it looks that Viper relly on jwt-go directory,
but it is incorrect.

I can deal with the probrem.

Thanks.