Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove JWT validation from production code #547

Merged
merged 1 commit into from
Feb 7, 2024
Merged

Remove JWT validation from production code #547

merged 1 commit into from
Feb 7, 2024

Conversation

JLLeitschuh
Copy link
Contributor

Motivation

CodeQL was flagging the current use of JWT as being vulnerable as validateBrokerToken wasn't actually
performing validlidation of the signature.

Since the logic is unused, except for in test, the entire chunk of logic has been moved exclusively to tests.

Explain here the context, and why you're making that change. What is the problem you're trying to solve.

Modifications

Move JwtServiceImpl#validateBrokerToken logic into BrokerTokensServiceImplTest

Verifying this change

  • Make sure that the change passes the ./gradlew build checks.

@JLLeitschuh
Remove JWT validation from production code
fd819ac 
Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
lhotari
lhotari approved these changes Feb 7, 2024
View reviewed changes
Copy link
Member

@lhotari lhotari left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks for the contribution @JLLeitschuh!

@lhotari lhotari requested a review from onobc February 7, 2024 10:39
@eolivelli eolivelli merged commit 4476f5e into apache:master Feb 7, 2024
1 check passed
@JLLeitschuh JLLeitschuh deleted the improve/JLL/remove-JWT-validation-from-production-code branch February 7, 2024 13:21
@liangyepianzhou liangyepianzhou added this to the 0.4.0 milestone Jan 10, 2025
liangyepianzhou pushed a commit that referenced this pull request Jan 12, 2025
@JLLeitschuh
Remove JWT validation from production code (#547)
e324c49 
Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
(cherry picked from commit 4476f5e)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lhotari lhotari lhotari approved these changes

@eolivelli eolivelli eolivelli approved these changes

@onobc onobc Awaiting requested review from onobc

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.5.0
Development

Successfully merging this pull request may close these issues.
4 participants
@JLLeitschuh @lhotari @eolivelli @liangyepianzhou