From 595b024b54bb282426a1d9f711c654dfadeb2ce8 Mon Sep 17 00:00:00 2001 From: David Barroso Date: Fri, 10 Jan 2025 13:37:33 +0100 Subject: [PATCH] chore: update deps due to CVE (#604) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ### **PR Type** Enhancement, Other ___ ### **Description** - Update `github.com/MicahParks/jwkset` to v0.7.0 - Upgrade `golang.org/x/time` to v0.9.0 - Address potential security vulnerabilities (CVE) - Update dependencies in go.mod and go.sum ___ ### **Changes walkthrough** 📝
Relevant files
Dependencies
go.mod
Update jwkset and time package versions                                   

go.mod
  • Upgrade github.com/MicahParks/jwkset from v0.5.19 to v0.7.0
  • Update golang.org/x/time from v0.5.0 to v0.9.0
  • +2/-2     
    go.sum
    Update dependency checksums in go.sum                                       

    go.sum
  • Add new versions of github.com/MicahParks/jwkset (v0.6.0, v0.7.0)
  • Update golang.org/x/time to v0.9.0
  • Remove old versions and add new checksums
  • +6/-0     
    ___ > 💡 **PR-Agent usage**: Comment `/help "your question"` on any pull request to receive relevant information --- go.mod | 4 +- go.sum | 6 ++ .../github.com/MicahParks/jwkset/storage.go | 58 ++++++++----------- vendor/golang.org/x/time/LICENSE | 4 +- vendor/golang.org/x/time/rate/rate.go | 17 +----- vendor/modules.txt | 4 +- 6 files changed, 38 insertions(+), 55 deletions(-) diff --git a/go.mod b/go.mod index 49b0ae25f..5c95b60dd 100644 --- a/go.mod +++ b/go.mod @@ -26,7 +26,7 @@ require ( ) require ( - github.com/MicahParks/jwkset v0.5.19 // indirect + github.com/MicahParks/jwkset v0.7.0 // indirect github.com/apapsch/go-jsonmerge/v2 v2.0.0 // indirect github.com/bytedance/sonic v1.12.3 // indirect github.com/bytedance/sonic/loader v0.2.0 // indirect @@ -72,7 +72,7 @@ require ( golang.org/x/sync v0.8.0 // indirect golang.org/x/sys v0.25.0 // indirect golang.org/x/text v0.18.0 // indirect - golang.org/x/time v0.5.0 // indirect + golang.org/x/time v0.9.0 // indirect google.golang.org/protobuf v1.34.2 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect ) diff --git a/go.sum b/go.sum index 439a8fd7f..9658201e7 100644 --- a/go.sum +++ b/go.sum @@ -1,5 +1,9 @@ github.com/MicahParks/jwkset v0.5.19 h1:XZCsgJv05DBCvxEHYEHlSafqiuVn5ESG0VRB331Fxhw= github.com/MicahParks/jwkset v0.5.19/go.mod h1:q8ptTGn/Z9c4MwbcfeCDssADeVQb3Pk7PnVxrvi+2QY= +github.com/MicahParks/jwkset v0.6.0 h1:l9BdSMVzhmEFXTTlTPIhK2FuDTFYawMA1hrpxQRajBI= +github.com/MicahParks/jwkset v0.6.0/go.mod h1:lNJLP4R63A/8lT9GO6FWOr/fIooTSwViFijyxwIW9EU= +github.com/MicahParks/jwkset v0.7.0 h1:CXWuiYBk5NuTl+N/3UI3UcYNH79yWuKAZWZkc/y+7Ok= +github.com/MicahParks/jwkset v0.7.0/go.mod h1:fVrj6TmG1aKlJEeceAz7JsXGTXEn72zP1px3us53JrA= github.com/MicahParks/keyfunc/v3 v3.3.5 h1:7ceAJLUAldnoueHDNzF8Bx06oVcQ5CfJnYwNt1U3YYo= github.com/MicahParks/keyfunc/v3 v3.3.5/go.mod h1:SdCCyMJn/bYqWDvARspC6nCT8Sk74MjuAY22C7dCST8= github.com/RaveNoX/go-jsoncommentstrip v1.0.0/go.mod h1:78ihd09MekBnJnxpICcwzCMzGrKSKYe4AqU6PDYYpjk= @@ -164,6 +168,8 @@ golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224= golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= +golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY= +golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= diff --git a/vendor/github.com/MicahParks/jwkset/storage.go b/vendor/github.com/MicahParks/jwkset/storage.go index debfa3e7b..4ca4a8f52 100644 --- a/vendor/github.com/MicahParks/jwkset/storage.go +++ b/vendor/github.com/MicahParks/jwkset/storage.go @@ -49,19 +49,19 @@ type Storage interface { MarshalWithOptions(ctx context.Context, marshalOptions JWKMarshalOptions, validationOptions JWKValidateOptions) (JWKSMarshal, error) } -var _ Storage = &memoryJWKSet{} +var _ Storage = &MemoryJWKSet{} -type memoryJWKSet struct { +type MemoryJWKSet struct { set []JWK mux sync.RWMutex } // NewMemoryStorage creates a new in-memory Storage implementation. -func NewMemoryStorage() Storage { - return &memoryJWKSet{} +func NewMemoryStorage() *MemoryJWKSet { + return &MemoryJWKSet{} } -func (m *memoryJWKSet) KeyDelete(_ context.Context, keyID string) (ok bool, err error) { +func (m *MemoryJWKSet) KeyDelete(_ context.Context, keyID string) (ok bool, err error) { m.mux.Lock() defer m.mux.Unlock() for i, jwk := range m.set { @@ -72,7 +72,7 @@ func (m *memoryJWKSet) KeyDelete(_ context.Context, keyID string) (ok bool, err } return ok, nil } -func (m *memoryJWKSet) KeyRead(_ context.Context, keyID string) (JWK, error) { +func (m *MemoryJWKSet) KeyRead(_ context.Context, keyID string) (JWK, error) { m.mux.RLock() defer m.mux.RUnlock() for _, jwk := range m.set { @@ -82,48 +82,41 @@ func (m *memoryJWKSet) KeyRead(_ context.Context, keyID string) (JWK, error) { } return JWK{}, fmt.Errorf("%w: kid %q", ErrKeyNotFound, keyID) } -func (m *memoryJWKSet) KeyReadAll(_ context.Context) ([]JWK, error) { +func (m *MemoryJWKSet) KeyReadAll(_ context.Context) ([]JWK, error) { m.mux.RLock() defer m.mux.RUnlock() return slices.Clone(m.set), nil } -func (m *memoryJWKSet) KeyWrite(_ context.Context, jwk JWK) error { +func (m *MemoryJWKSet) KeyWrite(_ context.Context, jwk JWK) error { m.mux.Lock() defer m.mux.Unlock() - for i, j := range m.set { - if j.Marshal().KID == jwk.Marshal().KID { - m.set[i] = jwk - return nil - } - } m.set = append(m.set, jwk) return nil } - -func (m *memoryJWKSet) JSON(ctx context.Context) (json.RawMessage, error) { +func (m *MemoryJWKSet) JSON(ctx context.Context) (json.RawMessage, error) { jwks, err := m.Marshal(ctx) if err != nil { return nil, fmt.Errorf("failed to marshal JWK Set: %w", err) } return json.Marshal(jwks) } -func (m *memoryJWKSet) JSONPublic(ctx context.Context) (json.RawMessage, error) { +func (m *MemoryJWKSet) JSONPublic(ctx context.Context) (json.RawMessage, error) { return m.JSONWithOptions(ctx, JWKMarshalOptions{}, JWKValidateOptions{}) } -func (m *memoryJWKSet) JSONPrivate(ctx context.Context) (json.RawMessage, error) { +func (m *MemoryJWKSet) JSONPrivate(ctx context.Context) (json.RawMessage, error) { marshalOptions := JWKMarshalOptions{ Private: true, } return m.JSONWithOptions(ctx, marshalOptions, JWKValidateOptions{}) } -func (m *memoryJWKSet) JSONWithOptions(ctx context.Context, marshalOptions JWKMarshalOptions, validationOptions JWKValidateOptions) (json.RawMessage, error) { +func (m *MemoryJWKSet) JSONWithOptions(ctx context.Context, marshalOptions JWKMarshalOptions, validationOptions JWKValidateOptions) (json.RawMessage, error) { jwks, err := m.MarshalWithOptions(ctx, marshalOptions, validationOptions) if err != nil { return nil, fmt.Errorf("failed to marshal JWK Set with options: %w", err) } return json.Marshal(jwks) } -func (m *memoryJWKSet) Marshal(ctx context.Context) (JWKSMarshal, error) { +func (m *MemoryJWKSet) Marshal(ctx context.Context) (JWKSMarshal, error) { keys, err := m.KeyReadAll(ctx) if err != nil { return JWKSMarshal{}, fmt.Errorf("failed to read snapshot of all keys from storage: %w", err) @@ -134,7 +127,7 @@ func (m *memoryJWKSet) Marshal(ctx context.Context) (JWKSMarshal, error) { } return jwks, nil } -func (m *memoryJWKSet) MarshalWithOptions(ctx context.Context, marshalOptions JWKMarshalOptions, validationOptions JWKValidateOptions) (JWKSMarshal, error) { +func (m *MemoryJWKSet) MarshalWithOptions(ctx context.Context, marshalOptions JWKMarshalOptions, validationOptions JWKValidateOptions) (JWKSMarshal, error) { jwks := JWKSMarshal{} keys, err := m.KeyReadAll(ctx) @@ -203,10 +196,8 @@ type HTTPClientStorageOptions struct { // Provide the Ctx option to end the goroutine when it's no longer needed. RefreshInterval time.Duration - // Storage is the underlying storage implementation to use. - // - // This defaults to NewMemoryStorage(). - Storage Storage + // ValidateOptions are the options to use when validating the JWKs. + ValidateOptions JWKValidateOptions } type httpStorage struct { @@ -235,10 +226,7 @@ func NewStorageFromHTTP(u *url.URL, options HTTPClientStorageOptions) (Storage, if options.HTTPMethod == "" { options.HTTPMethod = http.MethodGet } - store := options.Storage - if store == nil { - store = NewMemoryStorage() - } + store := NewMemoryStorage() refresh := func(ctx context.Context) error { req, err := http.NewRequestWithContext(ctx, options.HTTPMethod, u.String(), nil) @@ -259,18 +247,18 @@ func NewStorageFromHTTP(u *url.URL, options HTTPClientStorageOptions) (Storage, if err != nil { return fmt.Errorf("failed to decode JWK Set response: %w", err) } - for _, marshal := range jwks.Keys { + store.mux.Lock() + defer store.mux.Unlock() + store.set = make([]JWK, len(jwks.Keys)) // Clear local cache in case of key revocation. + for i, marshal := range jwks.Keys { marshalOptions := JWKMarshalOptions{ Private: true, } - jwk, err := NewJWKFromMarshal(marshal, marshalOptions, JWKValidateOptions{}) + jwk, err := NewJWKFromMarshal(marshal, marshalOptions, options.ValidateOptions) if err != nil { return fmt.Errorf("failed to create JWK from JWK Marshal: %w", err) } - err = store.KeyWrite(options.Ctx, jwk) - if err != nil { - return fmt.Errorf("failed to write JWK to memory storage: %w", err) - } + store.set[i] = jwk } return nil } diff --git a/vendor/golang.org/x/time/LICENSE b/vendor/golang.org/x/time/LICENSE index 6a66aea5e..2a7cf70da 100644 --- a/vendor/golang.org/x/time/LICENSE +++ b/vendor/golang.org/x/time/LICENSE @@ -1,4 +1,4 @@ -Copyright (c) 2009 The Go Authors. All rights reserved. +Copyright 2009 The Go Authors. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are @@ -10,7 +10,7 @@ notice, this list of conditions and the following disclaimer. copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. - * Neither the name of Google Inc. nor the names of its + * Neither the name of Google LLC nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. diff --git a/vendor/golang.org/x/time/rate/rate.go b/vendor/golang.org/x/time/rate/rate.go index 8f6c7f493..93a798ab6 100644 --- a/vendor/golang.org/x/time/rate/rate.go +++ b/vendor/golang.org/x/time/rate/rate.go @@ -99,8 +99,9 @@ func (lim *Limiter) Tokens() float64 { // bursts of at most b tokens. func NewLimiter(r Limit, b int) *Limiter { return &Limiter{ - limit: r, - burst: b, + limit: r, + burst: b, + tokens: float64(b), } } @@ -344,18 +345,6 @@ func (lim *Limiter) reserveN(t time.Time, n int, maxFutureReserve time.Duration) tokens: n, timeToAct: t, } - } else if lim.limit == 0 { - var ok bool - if lim.burst >= n { - ok = true - lim.burst -= n - } - return Reservation{ - ok: ok, - lim: lim, - tokens: lim.burst, - timeToAct: t, - } } t, tokens := lim.advance(t) diff --git a/vendor/modules.txt b/vendor/modules.txt index bceff3dfd..46ff928af 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1,4 +1,4 @@ -# github.com/MicahParks/jwkset v0.5.19 +# github.com/MicahParks/jwkset v0.7.0 ## explicit; go 1.21 github.com/MicahParks/jwkset # github.com/MicahParks/keyfunc/v3 v3.3.5 @@ -319,7 +319,7 @@ golang.org/x/text/transform golang.org/x/text/unicode/bidi golang.org/x/text/unicode/norm golang.org/x/text/width -# golang.org/x/time v0.5.0 +# golang.org/x/time v0.9.0 ## explicit; go 1.18 golang.org/x/time/rate # google.golang.org/protobuf v1.34.2