From 14ad07ffa2719e74178826da3072287ee8015a50 Mon Sep 17 00:00:00 2001 From: James Elliott Date: Wed, 16 Mar 2022 11:29:46 +1100 Subject: [PATCH] fix(oidc): userinfo jti claim potential panic (#3017) This fixes a usage of uuid.New() which can potentially panic. Instead we use a uuid.NewRandom() which also generates a UUID V4 instead of a UUID V1. In addition all uuid.NewUUID() calls have been replaced by uuid.NewRandom(). --- internal/handlers/handler_oidc_userinfo.go | 10 +++++++++- internal/middlewares/identity_verification.go | 2 +- internal/storage/sql_provider_encryption.go | 2 +- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/internal/handlers/handler_oidc_userinfo.go b/internal/handlers/handler_oidc_userinfo.go index 070d5ea8f..6cc2a90df 100644 --- a/internal/handlers/handler_oidc_userinfo.go +++ b/internal/handlers/handler_oidc_userinfo.go @@ -94,7 +94,15 @@ func oidcUserinfo(ctx *middlewares.AutheliaCtx, rw http.ResponseWriter, req *htt switch client.UserinfoSigningAlgorithm { case "RS256": - claims["jti"] = uuid.New() + var jti uuid.UUID + + if jti, err = uuid.NewRandom(); err != nil { + ctx.Providers.OpenIDConnect.WriteError(rw, req, fosite.ErrServerError.WithHintf("Could not generate JWT ID.")) + + return + } + + claims["jti"] = jti.String() claims["iat"] = time.Now().Unix() if keyID, err = ctx.Providers.OpenIDConnect.KeyManager.Strategy().GetPublicKeyID(req.Context()); err != nil { diff --git a/internal/middlewares/identity_verification.go b/internal/middlewares/identity_verification.go index 8bb877ce5..a46fba957 100644 --- a/internal/middlewares/identity_verification.go +++ b/internal/middlewares/identity_verification.go @@ -38,7 +38,7 @@ func IdentityVerificationStart(args IdentityVerificationStartArgs, delayFunc Tim var jti uuid.UUID - if jti, err = uuid.NewUUID(); err != nil { + if jti, err = uuid.NewRandom(); err != nil { ctx.Error(err, messageOperationFailed) return } diff --git a/internal/storage/sql_provider_encryption.go b/internal/storage/sql_provider_encryption.go index b3750a069..64974b19a 100644 --- a/internal/storage/sql_provider_encryption.go +++ b/internal/storage/sql_provider_encryption.go @@ -279,7 +279,7 @@ func (p *SQLProvider) getEncryptionValue(ctx context.Context, name string) (valu } func (p *SQLProvider) setNewEncryptionCheckValue(ctx context.Context, key *[32]byte, e sqlx.ExecerContext) (err error) { - valueClearText, err := uuid.NewUUID() + valueClearText, err := uuid.NewRandom() if err != nil { return err }