Merge pull request #84 from jwtk/op-OKTA-444793-vuln-uuid

chore: bump uuid dependency to 8.x and enforce minimal node version
jwtk · Dec 3, 2021 · ce98cd4 · ce98cd4
2 parents a473c84 + 4913f46
commit ce98cd4
Show file tree

Hide file tree

Showing 9 changed files with 56 additions and 44 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # nJwt Change Log
 
+### 1.2.0
+
+* [#84] (https://github.com/jwtk/njwt/pull/84) Resolves `uuid` vulnerability.
+
 ### 1.1.0
 
 * [#77](https://github.com/jwtk/njwt/pull/77) Adds TypeScript type definitions.

diff --git a/package.json b/package.json
@@ -1,7 +1,10 @@
 {
   "name": "njwt",
-  "version": "1.1.0",
+  "version": "1.2.0",
   "description": "JWT Library for Node.js",
+  "engines": {
+    "node": ">=6.0"
+  },
   "main": "index.js",
   "types": "index.d.ts",
   "scripts": {
@@ -28,7 +31,7 @@
   "dependencies": {
     "@types/node": "^15.0.1",
     "ecdsa-sig-formatter": "^1.0.5",
-    "uuid": "^3.3.2"
+    "uuid": "^8.3.2"
   },
   "devDependencies": {
     "@typescript-eslint/eslint-plugin": "^4.22.0",

diff --git a/test/algs.js b/test/algs.js
@@ -5,15 +5,15 @@ var fs = require('fs');
 var path = require('path');
 
 function itShouldBeAValidJwt(jwt){
-  assert(nJwt.create({},uuid()) instanceof nJwt.Jwt);
+  assert(nJwt.create({},uuid.v4()) instanceof nJwt.Jwt);
   var nowUnix = Math.floor(new Date().getTime()/1000);
-  assert.equal(nJwt.create({},uuid()).body.iat , nowUnix);
+  assert.equal(nJwt.create({},uuid.v4()).body.iat , nowUnix);
   assert(jwt.body.jti.match(/[a-zA-Z0-9]+[-]/));
 }
 
 function testHmacAlg(alg,done){
-  var key = uuid();
-  var claims = { hello: uuid(), debug: true };
+  var key = uuid.v4();
+  var claims = { hello: uuid.v4(), debug: true };
   var jwt = nJwt.create(claims,key,alg);
   var token = jwt.compact();
 
@@ -27,7 +27,7 @@ function testHmacAlg(alg,done){
 }
 
 function testKeyAlg(alg,keyPair,done){
-  var claims = { hello: uuid(), debug: true };
+  var claims = { hello: uuid.v4(), debug: true };
   var jwt = nJwt.create(claims,keyPair.private,alg);
   var token = jwt.compact();
 

diff --git a/test/builder.js b/test/builder.js
@@ -27,7 +27,7 @@ describe('create()',function(){
   });
 
   it('should create a default token if the scret is the only value',function(){
-    assert(nJwt.create(uuid()) instanceof nJwt.Jwt);
+    assert(nJwt.create(uuid.v4()) instanceof nJwt.Jwt);
   });
 
   it('should throw if using defaults without a secret key',function(){
@@ -45,33 +45,33 @@ describe('create()',function(){
   describe('with a signing key',function(){
 
     it('should return a JWT',function(){
-      assert(nJwt.create({},uuid()) instanceof nJwt.Jwt);
+      assert(nJwt.create({},uuid.v4()) instanceof nJwt.Jwt);
     });
 
     it('should use HS256 by default',function(){
-      assert.equal(nJwt.create({},uuid()).header.alg,'HS256');
+      assert.equal(nJwt.create({},uuid.v4()).header.alg,'HS256');
     });
 
     it('should create the iat field',function(){
       var nowUnix = Math.floor(new Date().getTime()/1000);
-      assert.equal(nJwt.create({},uuid()).body.iat , nowUnix);
+      assert.equal(nJwt.create({},uuid.v4()).body.iat , nowUnix);
     });
 
     it('should not overwrite a defined iat field',function(){
-      assert.equal(nJwt.create({iat: 1},uuid()).body.iat , 1);
+      assert.equal(nJwt.create({iat: 1},uuid.v4()).body.iat , 1);
     });
 
     it('should create the exp field, defaulted to 1 hour',function(){
       var oneHourFromNow = Math.floor(new Date().getTime()/1000) + (60*60);
-      assert.equal(nJwt.create({},uuid()).body.exp , oneHourFromNow);
+      assert.equal(nJwt.create({},uuid.v4()).body.exp , oneHourFromNow);
     });
 
     it('should not overwrite a defined jti field',function(){
-      assert.equal(nJwt.create({jti: 1},uuid()).body.jti , 1);
+      assert.equal(nJwt.create({jti: 1},uuid.v4()).body.jti , 1);
     });
 
     it('should create the jti field',function(){
-      var jwt = nJwt.create({},uuid());
+      var jwt = nJwt.create({},uuid.v4());
       assert(jwt.body.jti.match(/[a-zA-Z0-9]+[-]/));
     });
 

diff --git a/test/jwt.js b/test/jwt.js
@@ -10,28 +10,28 @@ describe('Jwt',function() {
 
   describe('.setClaim()',function(){
     it('should set a claim on the claims body',function(){
-      var myClaim = uuid();
+      var myClaim = uuid.v4();
       assert.equal(nJwt.Jwt().setClaim('myClaim', myClaim).body.myClaim,myClaim);
     });
   });
 
   describe('.setHeader()',function(){
     it('should set a header param on the header',function(){
-      var kid = uuid();
+      var kid = uuid.v4();
       assert.equal(nJwt.Jwt().setHeader('kid', kid).header.kid,kid);
     });
   });
 
   describe('.setSubject()',function(){
     it('should set the sub claim',function(){
-      var sub = uuid();
+      var sub = uuid.v4();
       assert.equal(nJwt.Jwt().setSubject(sub).body.sub,sub);
     });
   });
 
   describe('.setIssuer()',function(){
     it('should set the iss claim',function(){
-      var iss = uuid();
+      var iss = uuid.v4();
       assert.equal(nJwt.Jwt().setIssuer(iss).body.iss,iss);
     });
   });
@@ -52,9 +52,9 @@ describe('Jwt',function() {
       );
     });
     it('should allow me to remove the exp field',function(){
-      var jwt = nJwt.create({},uuid());
+      var jwt = nJwt.create({},uuid.v4());
       var oneHourFromNow = Math.floor(new Date().getTime()/1000) + (60*60);
-      assert.equal(nJwt.create({},uuid()).body.exp , oneHourFromNow);
+      assert.equal(nJwt.create({},uuid.v4()).body.exp , oneHourFromNow);
       assert.equal(jwt.setExpiration().body.exp, undefined);
       assert.equal(jwt.setExpiration(false).body.exp, undefined);
       assert.equal(jwt.setExpiration(null).body.exp, undefined);
@@ -79,9 +79,9 @@ describe('Jwt',function() {
       );
     });
     it('should allow me to remove the nbf field',function(){
-      var jwt = nJwt.create({},uuid());
+      var jwt = nJwt.create({},uuid.v4());
       var oneHourFromNow = Math.floor(new Date().getTime()/1000) + (60*60);
-      assert.equal(nJwt.create({},uuid()).body.nbf , undefined);
+      assert.equal(nJwt.create({},uuid.v4()).body.nbf , undefined);
       assert.equal(jwt.setNotBefore().body.nbf, undefined);
       assert.equal(jwt.setNotBefore(false).body.nbf, undefined);
       assert.equal(jwt.setNotBefore(null).body.nbf, undefined);
@@ -107,7 +107,7 @@ describe('Jwt',function() {
   });
   describe('.toString()',function(){
     it('should return the compacted JWT string',function(){
-      var jwt = nJwt.create({},uuid());
+      var jwt = nJwt.create({},uuid.v4());
       assert.equal(jwt.compact(),jwt.toString());
     });
   });

diff --git a/test/key-resolver.js b/test/key-resolver.js
@@ -41,7 +41,7 @@ describe('Verifier', function() {
       beforeEach(function() {
         callCount = 0;
         keyKid = '123';
-        signingKey = uuid();
+        signingKey = uuid.v4();
         keyResolver = function(kid, cb) {
           callCount++;
           assert(kid === keyKid);

diff --git a/test/others.js b/test/others.js
@@ -6,8 +6,8 @@ var jwtSimple = require('jwt-simple');
 
 describe('this library',function () {
   it('should generate tokens that can be verified by jsonwebtoken',function(done){
-    var key = uuid();
-    var claims = {hello:uuid()};
+    var key = uuid.v4();
+    var claims = {hello:uuid.v4()};
     var jwt = nJwt.create(claims,key);
     var token = jwt.compact();
     assert.doesNotThrow(function(){
@@ -23,8 +23,8 @@ describe('this library',function () {
   });
 
   it('should be able to verify tokens from jsonwebtoken',function(done){
-    var claims = {hello:uuid()};
-    var key = uuid();
+    var claims = {hello:uuid.v4()};
+    var key = uuid.v4();
     var token = jsonwebtoken.sign(claims, key);
     nJwt.verify(token,key,function(err,jwt){
       assert.isNull(err,'An unexpcted error was returned');
@@ -34,8 +34,8 @@ describe('this library',function () {
   });
 
   it('should generate tokens that can be verified by jwt-simple',function(done){
-    var key = uuid();
-    var claims = {hello:uuid()};
+    var key = uuid.v4();
+    var claims = {hello:uuid.v4()};
     var jwt = nJwt.create(claims,key);
     var token = jwt.compact();
     var decoded;
@@ -51,8 +51,8 @@ describe('this library',function () {
   });
 
   it('should be able to verify tokens from jwt-simple',function(done){
-    var claims = {hello:uuid()};
-    var key = uuid();
+    var claims = {hello:uuid.v4()};
+    var key = uuid.v4();
     var token = jwtSimple.encode(claims, key);
     nJwt.verify(token,key,function(err,jwt){
       assert.isNull(err,'An unexpcted error was returned');

diff --git a/test/verifier.js b/test/verifier.js
@@ -41,15 +41,15 @@ describe('.verify()',function(){
   });
 
   it('should not alter the JWT, it should be compact-able as the same token',function(){
-    var orignalJwt = new nJwt.Jwt({hello: uuid()}, false).setSigningAlgorithm('none');
+    var orignalJwt = new nJwt.Jwt({hello: uuid.v4()}, false).setSigningAlgorithm('none');
     var originalToken = orignalJwt.compact();
     var verifiedJwt = nJwt.verify(originalToken);
     assert.equal(originalToken, verifiedJwt.compact());
   });
 
   describe('if given only a token',function(){
     it('should verify tokens that are alg none',function(){
-      var claims = {hello: uuid()};
+      var claims = {hello: uuid.v4()};
       var token = new nJwt.Jwt(claims)
         .setSigningAlgorithm('none')
         .compact();
@@ -58,8 +58,8 @@ describe('.verify()',function(){
       });
     });
     it('should reject tokens that specify an alg',function(){
-      var claims = {hello: uuid()};
-      var key = uuid();
+      var claims = {hello: uuid.v4()};
+      var key = uuid.v4();
       var token = new nJwt.create(claims,key)
         .compact();
       assert.throws(function(){
@@ -90,7 +90,7 @@ describe('.verify()',function(){
   });
 
   it('should give me the parsed header on the error object if the body fails',function(done){
-    var header = nJwt.JwtHeader({typ:'JWT',alg:uuid()});
+    var header = nJwt.JwtHeader({typ:'JWT',alg:uuid.v4()});
     var invalidJwt = header.compact()+'.notavalidbody';
     nJwt.verify(invalidJwt,function(err){
       assert.equal(err.jwtString, invalidJwt);
@@ -106,7 +106,7 @@ describe('Verifier().verify() ',function(){
   it('should support sync usage',function(){
     var verifier = new nJwt.Verifier()
       .setSigningAlgorithm('none');
-    var claims = {hello: uuid()};
+    var claims = {hello: uuid.v4()};
     var token = new nJwt.Jwt(claims).compact();
     var verifiedToken;
     assert.doesNotThrow(function(){
@@ -123,7 +123,7 @@ describe('Verifier().verify() ',function(){
   });
 
   it('should return the jwt string, header and body on error objects',function(done){
-    var jwt = new nJwt.Jwt({expiredToken:uuid()})
+    var jwt = new nJwt.Jwt({expiredToken:uuid.v4()})
       .setExpiration(new Date().getTime()-1000);
     var token = jwt.compact();
     nJwt.verify(token,function(err){
@@ -136,7 +136,7 @@ describe('Verifier().verify() ',function(){
   });
 
   it('should return the jwt string, header and body on error objects with not active message',function(done){
-    var jwt = new nJwt.Jwt({notActiveToken:uuid()})
+    var jwt = new nJwt.Jwt({notActiveToken:uuid.v4()})
       .setNotBefore(new Date().getTime()+1000);
     var token = jwt.compact();
     nJwt.verify(token,function(err){
@@ -149,7 +149,7 @@ describe('Verifier().verify() ',function(){
   });
 
   it('should return the jwt string, header and body with null error objects',function(done){
-    var jwt = new nJwt.Jwt({notActiveToken:uuid()});
+    var jwt = new nJwt.Jwt({notActiveToken:uuid.v4()});
     var token = jwt.compact();
     nJwt.verify(token,function(err){
       assert.isNull(err);
@@ -162,7 +162,7 @@ describe('Verifier().verify() ',function(){
     var verifier = new nJwt.Verifier()
       .setSigningAlgorithm('none');
 
-    var claims = {hello: uuid()};
+    var claims = {hello: uuid.v4()};
 
     describe('and given an unsigned token',function(){
       var result;
@@ -273,7 +273,7 @@ describe('Verifier().verify() ',function(){
       .setSigningAlgorithm('HS256')
       .setSigningKey(key);
 
-    var claims = {hello:uuid()};
+    var claims = {hello:uuid.v4()};
 
     describe('and given a token that was signed with the same key',function(){
       var result;

diff --git a/yarn.lock b/yarn.lock
@@ -2792,6 +2792,11 @@ uuid@^3.3.2:
   resolved "https://registry.yarnpkg.com/uuid/-/uuid-3.4.0.tgz#b23e4358afa8a202fe7a100af1f5f883f02007ee"
   integrity sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==
 
+uuid@^8.3.2:
+  version "8.3.2"
+  resolved "https://registry.yarnpkg.com/uuid/-/uuid-8.3.2.tgz#80d5b5ced271bb9af6c445f21a1a04c606cefbe2"
+  integrity sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==
+
 v8-compile-cache@^2.0.3:
   version "2.3.0"
   resolved "https://registry.yarnpkg.com/v8-compile-cache/-/v8-compile-cache-2.3.0.tgz#2de19618c66dc247dcfb6f99338035d8245a2cee"