Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix for CVE-2024-33664. JWE limited to 250K #352

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Fix for CVE-2024-33664. JWE limited to 250K #352

wants to merge 1 commit into from

Conversation

alistairwatts
Copy link

This fix for CVE-2024-33664 ensures that any incoming JWE is under 250K, which seems to be a sensible, albeit large limit. The specific fix for the "zip bomb" issue ensures that we decompress no more that 250K of data. If that limit is reached then a JWEError is raised.

There's rough symmetry here ensuring that both compressed and uncompressed JWE data is no more than 250K.

@alistairwatts alistairwatts mentioned this pull request May 7, 2024
Open
@omufeed
Copy link

omufeed commented May 8, 2024

Is this repository still maintained? Would be great to check and merge this PR.

@Shinnnyshinshin
Copy link

Thank you for this work @alistairwatts. Would love to see this PR go in.

@CharlesPerrotMinotHCHB
Copy link

Let's try pinging @asherf and @mpdavis

alistairwatts
alistairwatts commented May 15, 2024
View reviewed changes
jose/jwe.py Outdated
# data could lead to large memory usage. This helps address This addresses
# CVE-2024-33664. Also see _decompress()
if len(jwe_str) > JWE_SIZE_LIMIT:
raise JWEError("JWE string exceeds {JWE_SIZE_LIMIT} bytes")
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be an f-string.

This was referenced May 21, 2024
Closed
Closed
@alistairwatts alistairwatts mentioned this pull request May 21, 2024
Closed
@smittysmee
Copy link

@mpdavis

@maciejstromich
Copy link

if @mpdavis does not work maybe @michaeldavis-wf will?

@Natim Natim mentioned this pull request May 28, 2024
Merged
libo
libo reviewed May 29, 2024
View reviewed changes
Copy link

@libo libo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I fixed the missing f-string. @alistairwatts

jose/jwe.py Outdated Show resolved Hide resolved
@twwildey
Copy link
Collaborator

Can you rebase your changes onto the latest master branch and force-update your branch for this PR?

@nicholas-quirk-mass-gov
Copy link

@alistairwatts

bmwiedemann pushed a commit to bmwiedemann/openSUSE that referenced this pull request Jun 3, 2024
@bmwiedemann
Update python-python-jose to version 3.3.0 / rev 9 via SR 1178245
4b9828d 
https://build.opensuse.org/request/show/1178245
by user dgarcia + anag+factory
- Update CVE-2024-33664.patch with upstream
  mpdavis/python-jose#352
  bsc#1223422
@CharlesPerrotMinotHCHB
Copy link

@twwildey

@phasath
Copy link

phasath commented Sep 20, 2024

Any updates here?

@BEEFF
Copy link

BEEFF commented Nov 13, 2024

Right now we should be checking the length of the tokens at the API level whilst waiting for this fix? Dependabot brought me here.

asherf
asherf reviewed Feb 5, 2025
View reviewed changes
jose/jwe.py
# data could lead to large memory usage. This helps address This addresses
# CVE-2024-33664. Also see _decompress()
if len(jwe_str) > JWE_SIZE_LIMIT:
raise JWEError(f"JWE string exceeds {JWE_SIZE_LIMIT} bytes")
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it would be useful to also include the token size, more information is usually useful.

asherf
asherf reviewed Feb 5, 2025
View reviewed changes
tests/test_jwe.py
import jose.constants
old_limit = jose.constants.JWE_SIZE_LIMIT
try:
jose.constants.JWE_SIZE_LIMIT = 1024
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it is better to use a a monkery patch here here: https://docs.pytest.org/en/stable/reference/reference.html#pytest.MonkeyPatch.setattr
reducing the need to to things manually.

asherf
asherf reviewed Feb 5, 2025
View reviewed changes
tests/test_jwe.py
encrypted = jwe.encrypt(b"Text"*64*1024, PUBLIC_KEY_PEM, enc, alg, zip=ZIPS.DEF)
assert len(encrypted) < jose.constants.JWE_SIZE_LIMIT
header = json.loads(base64url_decode(encrypted.split(b".")[0]))
with pytest.raises(JWEError):
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

since JWError is kind of generic, it is worth asserting on the error message:
https://docs.pytest.org/en/7.1.x/how-to/assert.html#assertions-about-expected-exceptions

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@asherf asherf asherf left review comments

@libo libo libo left review comments

@keith-oak keith-oak keith-oak approved these changes

@Shinnnyshinshin Shinnnyshinshin Shinnnyshinshin approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.