ottoka commented on code in PR #2189:
URL: https://github.com/apache/james-project/pull/2189#discussion_r1555083407
##########
server/protocols/jwt/src/main/java/org/apache/james/jwt/JwtTokenVerifier.java:
##########
@@ -25,16 +25,36 @@
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.ImmutableList;
import io.jsonwebtoken.Claims;
+import io.jsonwebtoken.CompressionCodecResolver;
import io.jsonwebtoken.Jws;
import io.jsonwebtoken.JwtException;
import io.jsonwebtoken.JwtParser;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.MalformedJwtException;
+import io.jsonwebtoken.impl.compression.DefaultCompressionCodecResolver;
public class JwtTokenVerifier {
+ private static final CompressionCodecResolver
DEFAULT_COMPRESSION_CODEC_RESOLVER = new DefaultCompressionCodecResolver();
+ private static final CompressionCodecResolver
SECURE_COMPRESSION_CODEC_RESOLVER = header -> {
+ if (Optional.ofNullable(header.getCompressionAlgorithm()).isPresent())
{
+ throw new RuntimeException("Rejecting a ZIP JWT. Usage of ZIPPED
JWT can result in " +
+ "excessive memory usage with malicious JWT tokens. To activate
support for ZIPPed" +
+ "JWT please run James with the -Djames.jwt.zip.allow=true
system property.");
Review Comment:
I suggest you put this in jvm.properties with the other tweakable odds and
ends. Gives users a chance to find this later without checking the source code.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
