From 74cff39ceb8bcd96af275307ff4efd3b4770b8e3 Mon Sep 17 00:00:00 2001 From: Adam Sven Johnson Date: Mon, 13 Sep 2021 18:08:13 +1200 Subject: [PATCH] Update jwt library Use github.com/golang-jwt/jwt/v4 as the replacement for vulnerable version of github.com/dgrijalva/jwt-go --- go.mod | 2 +- go.sum | 4 ++-- plugins/auth_jwt.go | 4 ++-- plugins/auth_jwt_test.go | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index b02ae4d7..a8260e57 100644 --- a/go.mod +++ b/go.mod @@ -5,9 +5,9 @@ go 1.16 require ( github.com/99designs/gqlgen v0.11.2 github.com/codahale/hdrhistogram v0.0.0-20161010025455-3a0bb77429bd // indirect - github.com/dgrijalva/jwt-go v3.2.0+incompatible github.com/felixge/httpsnoop v1.0.1 github.com/fsnotify/fsnotify v1.4.9 + github.com/golang-jwt/jwt/v4 v4.0.0 github.com/golang/protobuf v1.4.2 // indirect github.com/google/go-cmp v0.5.1 // indirect github.com/gorilla/mux v1.7.4 diff --git a/go.sum b/go.sum index cf0c2c5d..383e50b7 100644 --- a/go.sum +++ b/go.sum @@ -28,8 +28,6 @@ github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ3 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM= -github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= github.com/dgryski/trifles v0.0.0-20190318185328-a8d75aae118c h1:TUuUh0Xgj97tLMNtWtNvI9mIV6isjEb9lBMNv+77IGM= github.com/dgryski/trifles v0.0.0-20190318185328-a8d75aae118c/go.mod h1:if7Fbed8SFyPtHLHbg49SI7NAdJiC5WIA09pe59rfAA= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= @@ -46,6 +44,8 @@ github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= github.com/gogo/protobuf v1.0.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= +github.com/golang-jwt/jwt/v4 v4.0.0 h1:RAqyYixv1p7uEnocuy8P1nru5wprCh/MH2BIlW5z5/o= +github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= diff --git a/plugins/auth_jwt.go b/plugins/auth_jwt.go index c2bf885b..2bd3118e 100644 --- a/plugins/auth_jwt.go +++ b/plugins/auth_jwt.go @@ -8,8 +8,8 @@ import ( "io" "net/http" - "github.com/dgrijalva/jwt-go" - "github.com/dgrijalva/jwt-go/request" + "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v4/request" "github.com/movio/bramble" log "github.com/sirupsen/logrus" "gopkg.in/square/go-jose.v2" diff --git a/plugins/auth_jwt_test.go b/plugins/auth_jwt_test.go index 51caa45a..cfedcdf6 100644 --- a/plugins/auth_jwt_test.go +++ b/plugins/auth_jwt_test.go @@ -9,7 +9,7 @@ import ( "testing" "time" - "github.com/dgrijalva/jwt-go" + "github.com/golang-jwt/jwt/v4" "github.com/movio/bramble" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require"