Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Deprecate the loose base64 decoding. #582

Merged
merged 1 commit into from
Jan 29, 2024
Merged

Deprecate the loose base64 decoding. #582

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@
- Remove explicit base64 require from x5c_key_finder [#580](https://github.com/jwt/ruby-jwt/pull/580) - [@anakinj](https://github.com/anakinj).
- Performance improvements and cleanup of tests [#581](https://github.com/jwt/ruby-jwt/pull/581) - [@anakinj](https://github.com/anakinj).
- Repair EC x/y coordinates when importing JWK [#585](https://github.com/jwt/ruby-jwt/pull/585) - [@julik](https://github.com/julik).
- Explicit dependency to the base64 gem [#582](https://github.com/jwt/ruby-jwt/pull/582) - [@anakinj](https://github.com/anakinj).
- Deprecation warning for decoding content not compliant with RFC 4648 [#582](https://github.com/jwt/ruby-jwt/pull/582) - [@anakinj](https://github.com/anakinj).
- Your contribution here

## [v2.7.1](https://github.com/jwt/ruby-jwt/tree/v2.8.0) (2023-06-09)
Expand Down
16 changes: 14 additions & 2 deletions lib/jwt/base64.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,14 +3,26 @@
require 'base64'

module JWT
# Base64 helpers
# Base64 encoding and decoding
class Base64
class << self
# Encode a string with URL-safe Base64 complying with RFC 4648 (not padded).
def url_encode(str)
::Base64.encode64(str).tr('+/', '-_').gsub(/[\n=]/, '')
::Base64.urlsafe_encode64(str, padding: false)
end

# Decode a string with URL-safe Base64 complying with RFC 4648.
# Deprecated support for RFC 2045 remains for now. ("All line breaks or other characters not found in Table 1 must be ignored by decoding software")
def url_decode(str)
::Base64.urlsafe_decode64(str)
rescue ArgumentError => e
raise unless e.message == 'invalid base64'

warn('[DEPRECATION] Invalid base64 input detected, could be because of invalid padding, trailing whitespaces or newline chars. Graceful handling of invalid input will be dropped in the next major version of ruby-jwt')
loose_urlsafe_decode64(str)
end

def loose_urlsafe_decode64(str)
str += '=' * (4 - str.length.modulo(4))
::Base64.decode64(str.tr('-_', '+/'))
end
Expand Down
2 changes: 2 additions & 0 deletions ruby-jwt.gemspec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,8 @@ Gem::Specification.new do |spec|
spec.executables = []
spec.require_paths = %w[lib]

spec.add_dependency 'base64'

spec.add_development_dependency 'appraisal'
spec.add_development_dependency 'bundler'
spec.add_development_dependency 'rake'
Expand Down
Loading