Unverified Commit cd30a281 authored by Benjamin Neff's avatar Benjamin Neff Committed by Dennis Schubert

Bump json-jwt and openid_connect

Fixes CVE-2018-1000539
parent 08e108d3
......@@ -164,7 +164,7 @@ gem "omniauth-wordpress", "0.2.2"
gem "twitter", "6.2.0"
# OpenID Connect
gem "openid_connect", "1.1.5"
gem "openid_connect", "1.1.6"
# Serializers
......
......@@ -306,7 +306,7 @@ GEM
httparty (0.16.2)
multi_xml (>= 0.5.2)
httpclient (2.8.3)
i18n (1.0.0)
i18n (1.1.0)
concurrent-ruby (~> 1.0)
i18n-inflector (2.6.7)
i18n (>= 0.4.1)
......@@ -333,12 +333,10 @@ GEM
rails (>= 4.0, < 6.0)
sprockets (>= 3.0.0)
json (2.1.0)
json-jwt (1.9.2)
json-jwt (1.9.4)
activesupport
aes_key_wrap
bindata
securecompare
url_safe_base64
json-schema (2.8.0)
addressable (>= 2.4)
json-schema-rspec (0.0.4)
......@@ -379,7 +377,7 @@ GEM
mime-types-data (~> 3.2015)
mime-types-data (3.2016.0521)
mini_magick (4.8.0)
mini_mime (1.0.0)
mini_mime (1.0.1)
mini_portile2 (2.3.0)
minitest (5.11.3)
mobile-fu (1.4.0)
......@@ -429,7 +427,7 @@ GEM
open_graph_reader (0.6.2)
faraday (>= 0.9.0)
nokogiri (~> 1.6)
openid_connect (1.1.5)
openid_connect (1.1.6)
activemodel
attr_required (>= 1.0.0)
json-jwt (>= 1.5.0)
......@@ -475,7 +473,7 @@ GEM
pry-byebug (3.6.0)
byebug (~> 10.0)
pry (~> 0.10)
public_suffix (3.0.2)
public_suffix (3.0.3)
rack (2.0.5)
rack-cors (1.0.2)
rack-google-analytics (1.2.0)
......@@ -483,7 +481,7 @@ GEM
activesupport
rack-mobile-detect (0.4.0)
rack
rack-oauth2 (1.9.1)
rack-oauth2 (1.9.2)
activesupport
attr_required
httpclient
......@@ -642,7 +640,6 @@ GEM
sass (~> 3.4.20)
secure_headers (5.0.5)
useragent (>= 0.15.0)
securecompare (1.0.0)
shellany (0.0.1)
shoulda-matchers (3.1.2)
activesupport (>= 4.0.0)
......@@ -728,7 +725,6 @@ GEM
unicorn-worker-killer (0.4.4)
get_process_mem (~> 0)
unicorn (>= 4, < 6)
url_safe_base64 (0.2.2)
useragent (0.16.10)
uuid (2.3.8)
macaddr (~> 1.0)
......@@ -829,7 +825,7 @@ DEPENDENCIES
omniauth-twitter (= 1.4.0)
omniauth-wordpress (= 0.2.2)
open_graph_reader (= 0.6.2)
openid_connect (= 1.1.5)
openid_connect (= 1.1.6)
pg (= 1.0.0)
poltergeist (= 1.17.0)
pronto (= 0.9.5)
......
......@@ -296,7 +296,9 @@ describe Api::OpenidConnect::AuthorizationsController, type: :request do
decoded_token = OpenIDConnect::ResponseObject::IdToken.decode encoded_id_token,
Api::OpenidConnect::IdTokenConfig::PUBLIC_KEY
access_token = response.location[/(?<=access_token=)[^&]+/]
access_token_check_num = UrlSafeBase64.encode64(OpenSSL::Digest::SHA256.digest(access_token)[0, 128 / 8])
access_token_check_num = Base64.urlsafe_encode64(
OpenSSL::Digest::SHA256.digest(access_token)[0, 128 / 8], padding: false
)
expect(decoded_token.at_hash).to eq(access_token_check_num)
end
end
......
eyJhbGciOiJSUzI1NiIsImtpZCI6ImExIn0.eyJhdWQiOiBbImh0dHBzOi8va2VudHNoaWthbWEuY29tL2FwaS9vcGVuaWRfY29ubmVjdC9hY2Nlc3NfdG9rZW5zIl0sICJpc3MiOiAiMTRkNjkyY2Q1M2Q5YzFhOWY0NmZkNjllMGU1NzQ0M2UiLCAianRpIjogIjBtY3JyZVlIIiwgImV4cCI6IDE0NDMxNzA4OTEuMzk3NDU2LCAiaWF0IjogMTQ0MzE3MDI5MS4zOTc0NTYsICJzdWIiOiAiMTRkNjkyY2Q1M2Q5YzFhOWY0NmZkNjllMGU1NzQ0M2UifQ.QJUR3SYFrEIlbfOKjO0NYInddklytbJ2LSWNpkQ1aNThgneDCVCjIYGCaL2C9Sw-GR8j7QSUsKOwBbjZMUmVPFTjsfB4wdgObbxVt1QAXwDjAXc5w1smOerRsoahZ4yKI1an6PTaFxMwnoXUQcBZTsOS6RgXOCPPPoxibxohxoehPLieM0l7LYcF5DQKg7fTxZYOpmtiP--nibJxomXdVQNLSnZuQwnyWtlp_gYmqrYMMN1LPSmNCgZMZZZIYttaaAIA96SylglqubowJRShtDO9rSvUz_sgeCo7qo5Bfb0B5n9_PtIlr1CZSVoHyYj2lVqQldx7fnGuqqQJCfDQoe
\ No newline at end of file
eyJhbGciOiJSUzI1NiIsImtpZCI6ImExIn0.eyJhdWQiOiBbImh0dHBzOi8va2VudHNoaWthbWEuY29tL2FwaS9vcGVuaWRfY29ubmVjdC9hY2Nlc3NfdG9rZW5zIl0sICJpc3MiOiAiMTRkNjkyY2Q1M2Q5YzFhOWY0NmZkNjllMGU1NzQ0M2UiLCAianRpIjogIjBtY3JyZVlIIiwgImV4cCI6IDE0NDMxNzA4OTEuMzk3NDU2LCAiaWF0IjogMTQ0MzE3MDI5MS4zOTc0NTYsICJzdWIiOiAiMTRkNjkyY2Q1M2Q5YzFhOWY0NmZkNjllMGU1NzQ0M2UifQ.QJUR3SYFrEIlbfOKjO0NYInddklytbJ2LSWNpkQ1aNThgneDCVCjIYGCaL2C9Sw-GR8j7QSUsKOwBbjZMUmVPFTjsfB4wdgObbxVt1QAXwDjAXc5w1smOerRsoahZ4yKI1an6PTaFxMwnoXUQcBZTsOS6RgXOCPPPoxibxohxoehPLieM0l7LYcF5DQKg7fTxZYOpmtiP--nibJxomXdVQNLSnZuQwnyWtlp_gYmqrYMMN1LPSmNCgZMZZZIYttaaAIA96SylglqubowJRShtDO9rSvUz_sgeCo7qo5Bfb0B5n9_PtIlr1CZSVoHyYj2lVqQldx7fnGuqqQJCfDQoQ
\ No newline at end of file
......@@ -49,7 +49,9 @@ describe Api::OpenidConnect::TokenEndpoint, type: :request do
decoded_token = OpenIDConnect::ResponseObject::IdToken.decode encoded_id_token,
Api::OpenidConnect::IdTokenConfig::PUBLIC_KEY
access_token = json["access_token"]
access_token_check_num = UrlSafeBase64.encode64(OpenSSL::Digest::SHA256.digest(access_token)[0, 128 / 8])
access_token_check_num = Base64.urlsafe_encode64(
OpenSSL::Digest::SHA256.digest(access_token)[0, 128 / 8], padding: false
)
expect(decoded_token.at_hash).to eq(access_token_check_num)
end
......@@ -93,7 +95,9 @@ describe Api::OpenidConnect::TokenEndpoint, type: :request do
decoded_token = OpenIDConnect::ResponseObject::IdToken.decode encoded_id_token,
Api::OpenidConnect::IdTokenConfig::PUBLIC_KEY
access_token = json["access_token"]
access_token_check_num = UrlSafeBase64.encode64(OpenSSL::Digest::SHA256.digest(access_token)[0, 128 / 8])
access_token_check_num = Base64.urlsafe_encode64(
OpenSSL::Digest::SHA256.digest(access_token)[0, 128 / 8], padding: false
)
expect(decoded_token.at_hash).to eq(access_token_check_num)
end
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment