Daniel Garcia
60ce9b52e2
https://github.com/mpdavis/python-jose/pull/352 bsc#1223422 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-python-jose?expand=0&rev=17
136 lines
5.3 KiB
Diff
136 lines
5.3 KiB
Diff
From ff3357d9f91b93bc957aac9bc5a447c5c0bb74da Mon Sep 17 00:00:00 2001
|
|
From: "alistair.watts@groupbc.com" <alistair.watts@groupbc.com>
|
|
Date: Tue, 7 May 2024 14:50:53 +0100
|
|
Subject: [PATCH] Fix for CVE-2024-33664. JWE limited to 250K
|
|
|
|
---
|
|
jose/constants.py | 2 ++
|
|
jose/jwe.py | 24 ++++++++++++++++++------
|
|
tests/test_jwe.py | 34 +++++++++++++++++++++++++++++++++-
|
|
3 files changed, 53 insertions(+), 7 deletions(-)
|
|
|
|
diff --git a/jose/constants.py b/jose/constants.py
|
|
index ab4d74d3..58787d46 100644
|
|
--- a/jose/constants.py
|
|
+++ b/jose/constants.py
|
|
@@ -96,3 +96,5 @@ class Zips:
|
|
|
|
|
|
ZIPS = Zips()
|
|
+
|
|
+JWE_SIZE_LIMIT = 250 * 1024
|
|
diff --git a/jose/jwe.py b/jose/jwe.py
|
|
index 2c387ff4..04923873 100644
|
|
--- a/jose/jwe.py
|
|
+++ b/jose/jwe.py
|
|
@@ -6,7 +6,7 @@
|
|
|
|
from . import jwk
|
|
from .backends import get_random_bytes
|
|
-from .constants import ALGORITHMS, ZIPS
|
|
+from .constants import ALGORITHMS, ZIPS, JWE_SIZE_LIMIT
|
|
from .exceptions import JWEError, JWEParseError
|
|
from .utils import base64url_decode, base64url_encode, ensure_binary
|
|
|
|
@@ -76,6 +76,13 @@ def decrypt(jwe_str, key):
|
|
>>> jwe.decrypt(jwe_string, 'asecret128bitkey')
|
|
'Hello, World!'
|
|
"""
|
|
+
|
|
+ # Limit the token size - if the data is compressed then decompressing the
|
|
+ # data could lead to large memory usage. This helps address This addresses
|
|
+ # CVE-2024-33664. Also see _decompress()
|
|
+ if len(jwe_str) > JWE_SIZE_LIMIT:
|
|
+ raise JWEError("JWE string exceeds {JWE_SIZE_LIMIT} bytes")
|
|
+
|
|
header, encoded_header, encrypted_key, iv, cipher_text, auth_tag = _jwe_compact_deserialize(jwe_str)
|
|
|
|
# Verify that the implementation understands and can process all
|
|
@@ -424,13 +431,13 @@ def _compress(zip, plaintext):
|
|
(bytes): Compressed plaintext
|
|
"""
|
|
if zip not in ZIPS.SUPPORTED:
|
|
- raise NotImplementedError("ZIP {} is not supported!")
|
|
+ raise NotImplementedError(f"ZIP {zip} is not supported!")
|
|
if zip is None:
|
|
compressed = plaintext
|
|
elif zip == ZIPS.DEF:
|
|
compressed = zlib.compress(plaintext)
|
|
else:
|
|
- raise NotImplementedError("ZIP {} is not implemented!")
|
|
+ raise NotImplementedError(f"ZIP {zip} is not implemented!")
|
|
return compressed
|
|
|
|
|
|
@@ -446,13 +453,18 @@ def _decompress(zip, compressed):
|
|
(bytes): Compressed plaintext
|
|
"""
|
|
if zip not in ZIPS.SUPPORTED:
|
|
- raise NotImplementedError("ZIP {} is not supported!")
|
|
+ raise NotImplementedError(f"ZIP {zip} is not supported!")
|
|
if zip is None:
|
|
decompressed = compressed
|
|
elif zip == ZIPS.DEF:
|
|
- decompressed = zlib.decompress(compressed)
|
|
+ # If, during decompression, there is more data than expected, the
|
|
+ # decompression halts and raise an error. This addresses CVE-2024-33664
|
|
+ decompressor = zlib.decompressobj()
|
|
+ decompressed = decompressor.decompress(compressed, max_length=JWE_SIZE_LIMIT)
|
|
+ if decompressor.unconsumed_tail:
|
|
+ raise JWEError(f"Decompressed JWE string exceeds {JWE_SIZE_LIMIT} bytes")
|
|
else:
|
|
- raise NotImplementedError("ZIP {} is not implemented!")
|
|
+ raise NotImplementedError(f"ZIP {zip} is not implemented!")
|
|
return decompressed
|
|
|
|
|
|
diff --git a/tests/test_jwe.py b/tests/test_jwe.py
|
|
index f089d565..8c5ff387 100644
|
|
--- a/tests/test_jwe.py
|
|
+++ b/tests/test_jwe.py
|
|
@@ -5,7 +5,7 @@
|
|
import jose.backends
|
|
from jose import jwe
|
|
from jose.constants import ALGORITHMS, ZIPS
|
|
-from jose.exceptions import JWEParseError
|
|
+from jose.exceptions import JWEParseError, JWEError
|
|
from jose.jwk import AESKey, RSAKey
|
|
from jose.utils import base64url_decode
|
|
|
|
@@ -525,3 +525,35 @@ def test_kid_header_not_present_when_not_provided(self):
|
|
encrypted = jwe.encrypt("Text", PUBLIC_KEY_PEM, enc, alg)
|
|
header = json.loads(base64url_decode(encrypted.split(b".")[0]))
|
|
assert "kid" not in header
|
|
+
|
|
+ @pytest.mark.skipif(AESKey is None, reason="No AES backend")
|
|
+ def test_jwe_with_excessive_data(self):
|
|
+ enc = ALGORITHMS.A256CBC_HS512
|
|
+ alg = ALGORITHMS.RSA_OAEP_256
|
|
+ import jose.constants
|
|
+ old_limit = jose.constants.JWE_SIZE_LIMIT
|
|
+ try:
|
|
+ jose.constants.JWE_SIZE_LIMIT = 1024
|
|
+ encrypted = jwe.encrypt(b"Text"*64*1024, PUBLIC_KEY_PEM, enc, alg)
|
|
+ header = json.loads(base64url_decode(encrypted.split(b".")[0]))
|
|
+ with pytest.raises(JWEError):
|
|
+ actual = jwe.decrypt(encrypted, PRIVATE_KEY_PEM)
|
|
+ finally:
|
|
+ jose.constants.JWE_SIZE_LIMIT = old_limit
|
|
+
|
|
+ @pytest.mark.skipif(AESKey is None, reason="No AES backend")
|
|
+ def test_jwe_zip_with_excessive_data(self):
|
|
+ # Test that a fix for CVE-2024-33664 is in place.
|
|
+ enc = ALGORITHMS.A256CBC_HS512
|
|
+ alg = ALGORITHMS.RSA_OAEP_256
|
|
+ import jose.constants
|
|
+ old_limit = jose.constants.JWE_SIZE_LIMIT
|
|
+ try:
|
|
+ jose.constants.JWE_SIZE_LIMIT = 1024
|
|
+ encrypted = jwe.encrypt(b"Text"*64*1024, PUBLIC_KEY_PEM, enc, alg, zip=ZIPS.DEF)
|
|
+ assert len(encrypted) < jose.constants.JWE_SIZE_LIMIT
|
|
+ header = json.loads(base64url_decode(encrypted.split(b".")[0]))
|
|
+ with pytest.raises(JWEError):
|
|
+ actual = jwe.decrypt(encrypted, PRIVATE_KEY_PEM)
|
|
+ finally:
|
|
+ jose.constants.JWE_SIZE_LIMIT = old_limit
|