python-python-jose/CVE-2024-33664.patch

136 lines
5.3 KiB
Diff
Raw Permalink Normal View History

From ff3357d9f91b93bc957aac9bc5a447c5c0bb74da Mon Sep 17 00:00:00 2001
From: "alistair.watts@groupbc.com" <alistair.watts@groupbc.com>
Date: Tue, 7 May 2024 14:50:53 +0100
Subject: [PATCH] Fix for CVE-2024-33664. JWE limited to 250K
---
jose/constants.py | 2 ++
jose/jwe.py | 24 ++++++++++++++++++------
tests/test_jwe.py | 34 +++++++++++++++++++++++++++++++++-
3 files changed, 53 insertions(+), 7 deletions(-)
diff --git a/jose/constants.py b/jose/constants.py
index ab4d74d3..58787d46 100644
--- a/jose/constants.py
+++ b/jose/constants.py
@@ -96,3 +96,5 @@ class Zips:
ZIPS = Zips()
+
+JWE_SIZE_LIMIT = 250 * 1024
diff --git a/jose/jwe.py b/jose/jwe.py
index 2c387ff4..04923873 100644
--- a/jose/jwe.py
+++ b/jose/jwe.py
@@ -6,7 +6,7 @@
from . import jwk
from .backends import get_random_bytes
-from .constants import ALGORITHMS, ZIPS
+from .constants import ALGORITHMS, ZIPS, JWE_SIZE_LIMIT
from .exceptions import JWEError, JWEParseError
from .utils import base64url_decode, base64url_encode, ensure_binary
@@ -76,6 +76,13 @@ def decrypt(jwe_str, key):
>>> jwe.decrypt(jwe_string, 'asecret128bitkey')
'Hello, World!'
"""
+
+ # Limit the token size - if the data is compressed then decompressing the
+ # data could lead to large memory usage. This helps address This addresses
+ # CVE-2024-33664. Also see _decompress()
+ if len(jwe_str) > JWE_SIZE_LIMIT:
+ raise JWEError("JWE string exceeds {JWE_SIZE_LIMIT} bytes")
+
header, encoded_header, encrypted_key, iv, cipher_text, auth_tag = _jwe_compact_deserialize(jwe_str)
# Verify that the implementation understands and can process all
@@ -424,13 +431,13 @@ def _compress(zip, plaintext):
(bytes): Compressed plaintext
"""
if zip not in ZIPS.SUPPORTED:
- raise NotImplementedError("ZIP {} is not supported!")
+ raise NotImplementedError(f"ZIP {zip} is not supported!")
if zip is None:
compressed = plaintext
elif zip == ZIPS.DEF:
compressed = zlib.compress(plaintext)
else:
- raise NotImplementedError("ZIP {} is not implemented!")
+ raise NotImplementedError(f"ZIP {zip} is not implemented!")
return compressed
@@ -446,13 +453,18 @@ def _decompress(zip, compressed):
(bytes): Compressed plaintext
"""
if zip not in ZIPS.SUPPORTED:
- raise NotImplementedError("ZIP {} is not supported!")
+ raise NotImplementedError(f"ZIP {zip} is not supported!")
if zip is None:
decompressed = compressed
elif zip == ZIPS.DEF:
- decompressed = zlib.decompress(compressed)
+ # If, during decompression, there is more data than expected, the
+ # decompression halts and raise an error. This addresses CVE-2024-33664
+ decompressor = zlib.decompressobj()
+ decompressed = decompressor.decompress(compressed, max_length=JWE_SIZE_LIMIT)
+ if decompressor.unconsumed_tail:
+ raise JWEError(f"Decompressed JWE string exceeds {JWE_SIZE_LIMIT} bytes")
else:
- raise NotImplementedError("ZIP {} is not implemented!")
+ raise NotImplementedError(f"ZIP {zip} is not implemented!")
return decompressed
diff --git a/tests/test_jwe.py b/tests/test_jwe.py
index f089d565..8c5ff387 100644
--- a/tests/test_jwe.py
+++ b/tests/test_jwe.py
@@ -5,7 +5,7 @@
import jose.backends
from jose import jwe
from jose.constants import ALGORITHMS, ZIPS
-from jose.exceptions import JWEParseError
+from jose.exceptions import JWEParseError, JWEError
from jose.jwk import AESKey, RSAKey
from jose.utils import base64url_decode
@@ -525,3 +525,35 @@ def test_kid_header_not_present_when_not_provided(self):
encrypted = jwe.encrypt("Text", PUBLIC_KEY_PEM, enc, alg)
header = json.loads(base64url_decode(encrypted.split(b".")[0]))
assert "kid" not in header
+
+ @pytest.mark.skipif(AESKey is None, reason="No AES backend")
+ def test_jwe_with_excessive_data(self):
+ enc = ALGORITHMS.A256CBC_HS512
+ alg = ALGORITHMS.RSA_OAEP_256
+ import jose.constants
+ old_limit = jose.constants.JWE_SIZE_LIMIT
+ try:
+ jose.constants.JWE_SIZE_LIMIT = 1024
+ encrypted = jwe.encrypt(b"Text"*64*1024, PUBLIC_KEY_PEM, enc, alg)
+ header = json.loads(base64url_decode(encrypted.split(b".")[0]))
+ with pytest.raises(JWEError):
+ actual = jwe.decrypt(encrypted, PRIVATE_KEY_PEM)
+ finally:
+ jose.constants.JWE_SIZE_LIMIT = old_limit
+
+ @pytest.mark.skipif(AESKey is None, reason="No AES backend")
+ def test_jwe_zip_with_excessive_data(self):
+ # Test that a fix for CVE-2024-33664 is in place.
+ enc = ALGORITHMS.A256CBC_HS512
+ alg = ALGORITHMS.RSA_OAEP_256
+ import jose.constants
+ old_limit = jose.constants.JWE_SIZE_LIMIT
+ try:
+ jose.constants.JWE_SIZE_LIMIT = 1024
+ encrypted = jwe.encrypt(b"Text"*64*1024, PUBLIC_KEY_PEM, enc, alg, zip=ZIPS.DEF)
+ assert len(encrypted) < jose.constants.JWE_SIZE_LIMIT
+ header = json.loads(base64url_decode(encrypted.split(b".")[0]))
+ with pytest.raises(JWEError):
+ actual = jwe.decrypt(encrypted, PRIVATE_KEY_PEM)
+ finally:
+ jose.constants.JWE_SIZE_LIMIT = old_limit