[core] Set ruby-jwt gem to v2.10.3 minimum. #30056
Conversation
5a31165 to
8422b7c
Compare
|
Thanks! - this is a bit too much. I only want to track exclusions for urgent issues that are breaking, like we did on openssl when literally anything HTTPS failed. That is breaking to fastlane and thus we exclude that version. These versions are excluded for security reasons it seems and may introduce complexities for other orgs. Lets only move our minimum to 2.x and kill the test. Its too hooked to a specific line of code and doesn't really test anything outside of that. |
|
Alright, that makes sense. I simplified this to only raise the minimum One small thing I would want to point out: this keeps the PR aligned with fastlane’s usual dependency policy and avoids extra constraints, but it does mean we are no longer blocking the affected 3.x releases at the fastlane dependency boundary. In practice, fastlane’s current bundle still resolves to I re-verified that the bundle resolves to |
There was a problem hiding this comment.
Hey @nakshatrasinghh 👋
Thank you for your contribution to fastlane and congrats on getting this pull request merged 🎉
The code change now lives in the master branch, however it wasn't released to RubyGems yet.
We usually ship about once a month, and your PR will be included in the next one.
Please let us know if this change requires an immediate release by adding a comment here 👍
We'll notify you once we shipped a new release with your changes 🚀"
There was a problem hiding this comment.
Congratulations! 🎉 This was released as part of fastlane 2.236.0 🚀
Checklist
bundle exec rspecfrom the root directory to see all new and existing tests passbundle exec rubocop -ato ensure the code style is validci/circlecibuilds in the "All checks have passed" section of my PR (connect CircleCI to GitHub if not)Motivation and Context
Resolves #30055
ruby-jwtversions before the patched releases allow an empty HMAC key to verify attacker-craftedHS256tokens when callers decode with an empty string key or a keyfinder that returns an empty string.fastlane already widened the upper
jwtdependency bound to allow the v3 series, but the lower bound still allowed vulnerable 2.x versions. During investigation, I confirmed that the fix was backported tojwt 2.10.3, so fastlane can require a patched version without forcing all users onto the v3 dependency path.This keeps fastlane compatible with its current Ruby
>= 3.0minimum while still allowing safejwt 3.2.0+versions.Description
This PR tightens fastlane's
jwtdependency requirement to patched versions only.The change:
jwtversion to2.10.3jwt3.0.0through3.1.2Gemfile.lockto resolvejwt 2.10.3I investigated the reported behavior by reproducing the empty-key HMAC verification with an affected
jwtversion, then verified that the updated dependency resolves tojwt 2.10.3and rejects both the static empty-key and keyfinder empty-key cases.Documentation was not changed because this is a dependency/security constraint update rather than a user-facing fastlane feature or configuration change.
Testing Steps
Reproduced the vulnerable behavior with an affected
jwtversion:HS256token signed with an empty HMAC keyjwtaccepted the token with both a static empty string key and a keyfinder returning""Verified the fixed behavior with the updated bundle:
jwt 2.10.3JWT::DecodeError: HMAC key cannot be emptyES256token generation still works