Update jwt-go module to address CVE-2020-26160 (influxdata#8337)

n2N8Z · Nov 2, 2020 · 73b2f98 · 73b2f98
1 parent 9be445c
commit 73b2f98
Show file tree

Hide file tree

Showing 6 changed files with 13 additions and 5 deletions.
diff --git a/go.mod b/go.mod
@@ -39,7 +39,7 @@ require (
 	github.com/couchbase/gomemcached v0.0.0-20180502221210-0da75df14530 // indirect
 	github.com/couchbase/goutils v0.0.0-20180530154633-e865a1461c8a // indirect
 	github.com/denisenkom/go-mssqldb v0.0.0-20190707035753-2be1aa521ff4
-	github.com/dgrijalva/jwt-go v3.2.0+incompatible
+	github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1
 	github.com/dimchansky/utfbom v1.1.0
 	github.com/docker/distribution v2.6.0-rc.1.0.20170726174610-edc3ab29cdff+incompatible // indirect
 	github.com/docker/docker v17.12.0-ce-rc1.0.20200916142827-bd33bbf0497b+incompatible

diff --git a/go.sum b/go.sum
@@ -162,6 +162,8 @@ github.com/devigned/tab v0.1.1 h1:3mD6Kb1mUOYeLpJvTVSDwSg5ZsfSxfvxGRTxRsJsITA=
 github.com/devigned/tab v0.1.1/go.mod h1:XG9mPq0dFghrYvoBF3xdRrJzSTX1b7IQrvaL9mzjeJY=
 github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM=
 github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
+github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1 h1:CaO/zOnF8VvUfEbhRatPcwKVWamvbYd8tQGRWacE9kU=
+github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1/go.mod h1:+hnT3ywWDTAFrW5aE+u2Sa/wT555ZqwoCS+pk3p6ry4=
 github.com/dimchansky/utfbom v1.1.0 h1:FcM3g+nofKgUteL8dm/UpdRXNC9KmADgTpLKsu0TRo4=
 github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8=
 github.com/docker/distribution v2.6.0-rc.1.0.20170726174610-edc3ab29cdff+incompatible h1:357nGVUC8gSpeSc2Axup8HfrfTLLUfWfCsCUhiQSKIg=

diff --git a/plugins/inputs/dcos/client.go b/plugins/inputs/dcos/client.go
@@ -10,7 +10,7 @@ import (
 	"net/url"
 	"time"
 
-	jwt "github.com/dgrijalva/jwt-go"
+	jwt "github.com/dgrijalva/jwt-go/v4"
 )
 
 const (
@@ -330,7 +330,7 @@ func (c *ClusterClient) createLoginToken(sa *ServiceAccount) (string, error) {
 		UID: sa.AccountID,
 		StandardClaims: jwt.StandardClaims{
 			// How long we have to login with this token
-			ExpiresAt: time.Now().Add(5 * time.Minute).Unix(),
+			ExpiresAt: jwt.At(time.Now().Add(5 * time.Minute)),
 		},
 	})
 	return token.SignedString(sa.PrivateKey)

diff --git a/plugins/inputs/dcos/client_test.go b/plugins/inputs/dcos/client_test.go
@@ -8,7 +8,7 @@ import (
 	"net/url"
 	"testing"
 
-	jwt "github.com/dgrijalva/jwt-go"
+	jwt "github.com/dgrijalva/jwt-go/v4"
 	"github.com/influxdata/telegraf/testutil"
 	"github.com/stretchr/testify/require"
 )

diff --git a/plugins/inputs/dcos/dcos.go b/plugins/inputs/dcos/dcos.go
@@ -9,7 +9,7 @@ import (
 	"sync"
 	"time"
 
-	jwt "github.com/dgrijalva/jwt-go"
+	jwt "github.com/dgrijalva/jwt-go/v4"
 	"github.com/influxdata/telegraf"
 	"github.com/influxdata/telegraf/filter"
 	"github.com/influxdata/telegraf/internal"

diff --git a/scripts/check-deps.sh b/scripts/check-deps.sh
@@ -51,6 +51,12 @@ for dep in $(LC_ALL=C sort -u "${tmpdir}/golist"); do
 	echo "${dep}" >> "${tmpdir}/HEAD"
 done
 
+# If there are two versions of a library that have the same base (like
+# github.com/foo/bar github.com/foo/bar/v3) there will be a duplicate
+# in the list.  Remove duplicates again.
+mv "${tmpdir}/HEAD" "${tmpdir}/HEAD-dup"
+uniq "${tmpdir}/HEAD-dup" > "${tmpdir}/HEAD"
+
 grep '^-' docs/LICENSE_OF_DEPENDENCIES.md | grep -v github.com/DataDog/datadog-agent | cut -f 2 -d' ' > "${tmpdir}/LICENSE_OF_DEPENDENCIES.md"
 
 diff -U0 "${tmpdir}/LICENSE_OF_DEPENDENCIES.md" "${tmpdir}/HEAD" || {