Merge pull request #90 from blacklanternsecurity/jwt_headers_bug

fixing bug with non-matching RSA JWTs
blacklanternsecurity · Jul 20, 2023 · 969fa93 · 969fa93
2 parents 318c16f + 07f947a
commit 969fa93
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 2 deletions.
diff --git a/badsecrets/modules/generic_jwt.py b/badsecrets/modules/generic_jwt.py
@@ -94,16 +94,15 @@ def check_secret(self, JWT):
                 r = self.jwtVerify(JWT, key, algorithm)
                 if r:
                     r["jwt_headers"] = jwt_headers
-
                     return {"secret": key, "details": r}
 
         elif algorithm[0].lower() == "r":
             for l in self.load_resources(["jwt_rsakeys_public.txt"]):
                 private_key_name = l.split(":")[0]
                 public_key = f"{l.split(':')[1]}".rstrip().encode().replace(b"\\n", b"\n")
                 r = self.jwtVerify(JWT, public_key, algorithm)
-                r["jwt_headers"] = jwt_headers
                 if r:
+                    r["jwt_headers"] = jwt_headers
                     return {"secret": f"Private key Name: {private_key_name}", "details": r}
 
         return None
diff --git a/tests/generic_jwt_test.py b/tests/generic_jwt_test.py
@@ -21,6 +21,14 @@ def test_generic_jwt_rsa():
     assert found_key["secret"] == f"Private key Name: 1"
 
 
+def test_generic_jwt_rsa_bad():
+    x = Generic_JWT()
+    found_key = x.check_secret(
+        "eyJhbGciOiJSUzI1NiJ9.eyJJc3N1ZXIiOiJJc3N1ZXIiLCJVc2VybmFtZSI6IkJhZFNlY3JldHMiLCJleHAiOjE1OTMxMzM0ODMsImlhdCI6MTQ2NjkwMzA4M30.VY5gbfqc1nrTMz7oCFvFBZtHE_gb97dWBAsOG9NJeeXJhASEBe2srxVqbWw1HTGcyZc1oxzJU6o-fpPAEpNO4QhFEJNZbWYJBLMtggiu_MKBEHGHgrAOE9gtH2qUKZ6zMWq5hO3JA0QuIWKE3g342C-beBNoLJ8ph02yrrqYuCWg2smExg6wL_LK0gnpsNLBXRcJ2dYSlEn9tz9Aim5TioZVJZK1DVtBX8k4xA0k47i9DGNwII7R9SU2cqqDOXBd7oo8AYwGP1U4kWtzeTKBBIAEjwGh11yKIMkZrL1SkctWEY1ogFlxBG9dWn0BcrYCVJaIxTSMCGmpjRSUKPnkTf"
+    )
+    assert not found_key
+
+
 def test_generic_jwt_negative():
     x = Generic_JWT()
     found_key = x.check_secret(