Add global workaround for applications

simo5 · simo5 · commit 34b652526d4f · 2022-09-13T12:14:23.000-04:00
Because the previous patch changes the behavoir of jwcrypto, this knob is a quick way for application developers to get back the old behavior temporarily without having to change the code immediately as it may require some significant refactoring, depending on how the application was written. This is not intended to be used in the long term and will be eventually deleted. Unfortunately I cannot decorate a simply global variable with the @deprecated decoration to make it clearer. Signed-off-by: Simo Sorce <simo@redhat.com>
diff --git a/docs/source/jwt.rst b/docs/source/jwt.rst
@@ -14,6 +14,13 @@ Classes
    :members:
    :show-inheritance:
 
+Variables
+---------
+
+.. autodata:: jwcrypto.jwt.JWTClaimsRegistry
+
+.. autodata:: jwcrypto.jwt.JWT_expect_type
+
 Examples
 --------
 
diff --git a/jwcrypto/jwt.py b/jwcrypto/jwt.py
@@ -22,6 +22,17 @@
                      'nbf': 'Not Before',
                      'iat': 'Issued At',
                      'jti': 'JWT ID'}
+"""Registry of RFC 7519 defined claims"""
+
+
+# do not use this unless you know about CVE-2022-3102
+JWT_expect_type = True
+"""This module parameter can disable the use of the expectation
+   feature that has been introduced to fix CVE-2022-3102. This knob
+   has been added as a workaround for applications that can't be
+   immediately refactored to deal with the change in behavior but it
+   is considered deprecated and will be removed in a future release.
+"""
 
 
 class JWTExpired(JWException):
@@ -542,11 +553,11 @@ def validate(self, key):
         validate_fn = None
 
         if isinstance(self.token, JWS):
-            if et != "JWS":
+            if et != "JWS" and JWT_expect_type:
                 raise TypeError("Expected {}, got JWS".format(et))
             validate_fn = self.token.verify
         elif isinstance(self.token, JWE):
-            if et != "JWE":
+            if et != "JWE" and JWT_expect_type:
                 print("algs: {}".format(self._algs))
                 raise TypeError("Expected {}, got JWE".format(et))
             validate_fn = self.token.decrypt
diff --git a/jwcrypto/tests.py b/jwcrypto/tests.py
@@ -1763,6 +1763,11 @@ def test_unexpected(self):
         token.make_encrypted_token(key)
         enctok = token.serialize()
 
+        # test workaroud for older applications
+        jwt.JWT_expect_type = False
+        jwt.JWT(jwt=enctok, key=key)
+        jwt.JWT_expect_type = True
+
         token.validate(key)
         token.expected_type = "JWE"
         token.validate(key)
