Issues in upgrading to 0.12.6

[tiwarishubham635]

Hello! I am tring to upgrade twilio-java to 0.12.6. This because of some known vulnerabilities like CVE-2024-31033 in jjwt 0.11.2. I saw there are some breaking changes in 0.12 version. Since this vulnerability is a blocker for our customers, we have to upgrade. However, I would appreciate if there is some other way we can get rid of this vulnerability.

Anyways, the main issue is that while upgrading to 0.12.6 I am facing a lot of errors. Here is the PR that I have raised. For example, setSigningKey method (though it is deprecated, it is showing errors.

Can someone help in upgrading the version? Maybe if there is some upgrade guide, that would be helpful.

[bdemers]

Hi @tiwarishubham635!

A couple of things, CVE-2024-31033 is contested, there is a bit more discussion around it here: #930 TL;DR we are waiting for that to get resolved. (but I get it... nobody wants vuln reports, even false reports in their builds)

Related to 0.12.6, the error you are seeing is related to your cty header value of: twilio-fpa;v=1
In 0.12, JJWT became more strict in how it parses JWTs, twilio-fpa;v=1 is an unknown content type, and JJWT, doesn't know how to parse that, same would be true if this were image/png.

You can read more about how the cty header is processed in the JWS RFC

In order to support non JWT content types, you can use the method: parseSignedContent(<token>)
That [indirectly] gives you a byte array (call .accept(JwtVisitor) to convert it to your desired object.

There is a similar discussion on this here: #897 (where there is also some discussion on wrapping this logic in a something like a ContentTypeHandler, e.g. Jwts.parser().cty(handler)...

Your feedback on the ideas in that thread would be helpful!