From 08c446a3e1b656f3e5e99251226a57cc4dfaa03a Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Thu, 18 Mar 2021 11:20:33 -0700 Subject: [PATCH 1/2] Use openssl to generate the test user password instead of /dev/urandom Because it's more portable across different operating systems and it is already pre-installed on MacOS. --- hack/prepare-for-integration-tests.sh | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/hack/prepare-for-integration-tests.sh b/hack/prepare-for-integration-tests.sh index e3aac8996..44e298fdf 100755 --- a/hack/prepare-for-integration-tests.sh +++ b/hack/prepare-for-integration-tests.sh @@ -113,6 +113,7 @@ check_dependency ytt "Please install ytt. e.g. 'brew tap k14s/tap && brew instal check_dependency kapp "Please install kapp. e.g. 'brew tap k14s/tap && brew install kapp' for MacOS" check_dependency kubectl "Please install kubectl. e.g. 'brew install kubectl' for MacOS" check_dependency htpasswd "Please install htpasswd. Should be pre-installed on MacOS. Usually found in 'apache2-utils' package for linux." +check_dependency openssl "Please install openssl. Should be pre-installed on MacOS." check_dependency chromedriver "Please install chromedriver. e.g. 'brew install chromedriver' for MacOS" # Require kubectl >= 1.18.x @@ -209,13 +210,7 @@ fi test_username="test-username" test_groups="test-group-0,test-group-1" -set +o pipefail -test_password="$(cat /dev/urandom | env LC_ALL=C tr -dc 'a-z0-9' | fold -w 32 | head -n 1)" -set -o pipefail -if [[ ${#test_password} -ne 32 ]]; then - log_error "Could not create test user's random password" - exit 1 -fi +test_password="$(openssl rand -hex 16)" log_note "Creating test user '$test_username'..." kubectl create secret generic "$test_username" \ --namespace local-user-authenticator \ From d162cb9adfa913481a2374145451938122009b8d Mon Sep 17 00:00:00 2001 From: Monis Khan Date: Thu, 18 Mar 2021 16:54:55 -0400 Subject: [PATCH 2/2] Move to github.com/form3tech-oss/jwt-go Signed-off-by: Monis Khan --- go.mod | 7 +++++++ go.sum | 4 ++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/go.mod b/go.mod index 56f012121..c8717c7fb 100644 --- a/go.mod +++ b/go.mod @@ -47,3 +47,10 @@ require ( // We need this until none of our deps tries to pull in v1.0.0, otherwise some tools like // Dependabot will fail on our module. replace github.com/oleiade/reflections v1.0.0 => github.com/oleiade/reflections v1.0.1 + +// We were never vulnerable to CVE-2020-26160 but this avoids future issues +// This fork is not particularly better though: +// https://github.com/form3tech-oss/jwt-go/issues/7 +// We use the SHA of github.com/form3tech-oss/jwt-go@v3.2.2 to get around "used for two different module paths" +// https://golang.org/issues/26904 +replace github.com/dgrijalva/jwt-go v3.2.0+incompatible => github.com/form3tech-oss/jwt-go v0.0.0-20200915135329-9162a5abdbc0 diff --git a/go.sum b/go.sum index 0a0c6dfde..a0accf607 100644 --- a/go.sum +++ b/go.sum @@ -153,8 +153,6 @@ github.com/dgraph-io/ristretto v0.0.1/go.mod h1:T40EBc7CJke8TkpiYfGGKAeFjSaxuFXh github.com/dgraph-io/ristretto v0.0.2/go.mod h1:KPxhHT9ZxKefz+PCeOGsrHpl1qZ7i70dGTu2u+Ahh6E= github.com/dgraph-io/ristretto v0.0.3 h1:jh22xisGBjrEVnRZ1DVTpBVQm0Xndu8sMl0CWDzSIBI= github.com/dgraph-io/ristretto v0.0.3/go.mod h1:KPxhHT9ZxKefz+PCeOGsrHpl1qZ7i70dGTu2u+Ahh6E= -github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM= -github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2 h1:tdlZCpZ/P9DhczCTSixgIKmwPv6+wP5DGjqLYw5SUiA= github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2/go.mod h1:SqUrOPUnsFjfmXRMNPybcSiG0BgUW2AuFH8PAnS2iTw= github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= @@ -192,6 +190,8 @@ github.com/fatih/structs v1.0.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M= github.com/fogleman/gg v1.2.1-0.20190220221249-0403632d5b90/go.mod h1:R/bRT+9gY/C5z7JzPU0zXsXHKM4/ayA+zqcVNZzPa1k= github.com/fogleman/gg v1.3.0/go.mod h1:R/bRT+9gY/C5z7JzPU0zXsXHKM4/ayA+zqcVNZzPa1k= +github.com/form3tech-oss/jwt-go v0.0.0-20200915135329-9162a5abdbc0 h1:MlJ3VGb3dbhx8w0FzhPNHh9Di62kt7rLZaCUm5Avf8Y= +github.com/form3tech-oss/jwt-go v0.0.0-20200915135329-9162a5abdbc0/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= github.com/form3tech-oss/jwt-go v3.2.2+incompatible h1:TcekIExNqud5crz4xD2pavyTgWiPvpYe4Xau31I0PRk= github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=