Merge pull request #208 from DP-3T/hotfix/v1.1.1

Hotfix/v1.1.1 (CVE-2020-15957)
DP-3T · Jul 30, 2020 · b8c6476 · b8c6476
2 parents 925bc21 + b5d3b2f
commit b8c6476
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 1 deletion.
diff --git a/.../dpppt-backend-sdk-ws/src/main/java/org/dpppt/backend/sdk/ws/security/DPPTJwtDecoder.java b/.../dpppt-backend-sdk-ws/src/main/java/org/dpppt/backend/sdk/ws/security/DPPTJwtDecoder.java
@@ -36,7 +36,7 @@ public void setJwtValidator(OAuth2TokenValidator<Jwt> validator) {
 	@Override
 	public Jwt decode(String token) throws JwtException {
 		try {
-			var t = parser.parse(token);
+			var t = parser.parseClaimsJws(token);
 
 			var headers = t.getHeader();
 			var claims = (Claims) t.getBody();

diff --git a/...-backend-sdk-ws/src/test/java/org/dpppt/backend/sdk/ws/controller/BaseControllerTest.java b/...-backend-sdk-ws/src/test/java/org/dpppt/backend/sdk/ws/controller/BaseControllerTest.java
@@ -143,5 +143,14 @@ protected String createTokenWithScope(OffsetDateTime expiresAt, String scope) {
 				.setSubject("test-subject" + OffsetDateTime.now().withOffsetSameInstant(ZoneOffset.UTC).toString()).setExpiration(Date.from(expiresAt.toInstant()))
 				.setIssuedAt(Date.from(OffsetDateTime.now().withOffsetSameInstant(ZoneOffset.UTC).toInstant())).signWith((Key) privateKey).compact();
 	}
+	protected String createMaliciousToken(OffsetDateTime expiresAt) {
+		Claims claims = Jwts.claims();
+		claims.put("scope", "exposed");
+		claims.put("onset", "2020-04-20");
+		claims.put("fake", "0");
+		return Jwts.builder().setClaims(claims).setId(UUID.randomUUID().toString())
+				.setSubject("test-subject" + OffsetDateTime.now().withOffsetSameInstant(ZoneOffset.UTC).toString()).setExpiration(Date.from(expiresAt.toInstant()))
+				.setIssuedAt(Date.from(OffsetDateTime.now().withOffsetSameInstant(ZoneOffset.UTC).toInstant())).compact();
+	}
 
 }
diff --git a/...-backend-sdk-ws/src/test/java/org/dpppt/backend/sdk/ws/controller/GaenControllerTest.java b/...-backend-sdk-ws/src/test/java/org/dpppt/backend/sdk/ws/controller/GaenControllerTest.java
@@ -1027,6 +1027,19 @@ public void testEtag() throws Exception {
 		assertTrue(publishedUntil < System.currentTimeMillis(), "Published until must be in the past");
 		assertNotEquals(expectedEtag, response.getHeader("etag"));
 	}
+
+	@Test
+	public void testMalciousTokenFails() throws Exception {
+		var requestList = new GaenRequest();
+		List<GaenKey> exposedKeys = new ArrayList<GaenKey>();
+		requestList.setGaenKeys(exposedKeys);
+		String token = createMaliciousToken(OffsetDateTime.now().withOffsetSameInstant(ZoneOffset.UTC).plusMinutes(5));
+		MvcResult response = mockMvc.perform(post("/v1/gaen/exposed")
+				.contentType(MediaType.APPLICATION_JSON).header("Authorization", "Bearer " + token)
+				.header("User-Agent", "MockMVC").content(json(requestList))).andExpect(request().asyncNotStarted()).andExpect(status().is(401)).andReturn();
+		String authenticateError = response.getResponse().getHeader("www-authenticate");
+		assertTrue(authenticateError.contains("Unsigned Claims JWTs are not supported."));
+	}
 
 	private void verifyZipInZipResponse(MockHttpServletResponse response, int expectKeyCount) throws Exception {
 		ByteArrayInputStream baisOuter = new ByteArrayInputStream(response.getContentAsByteArray());