chore: upgrade to golang-jwt 3.2.1 to fix CVE-2020-26160

jdstrand · jdstrand · commit da3f54d22b0c · 2021-07-23T14:50:17.000-05:00
CVE-2020-26160[0] is an access restriction bypass under certain circumstances when validating audience checks. The original dgrijalva/jwt-go project is no longer maintained[1] and will not be issuing a fix for this CVE[2]. Instead, they have transferred ownership to golang-jwt/jwt[2][3][4]. The following was performed: 1. update chronograf and jsonweb to import golang-jwt/jwt 2. go mod edit -require github.com/golang-jwt/jwt@v3.2.1+incompatible 3. go mod edit -droprequire github.com/dgrijalva/jwt-go 4. go mod tidy 5. make 6. make test References: [0] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26160 [1] dgrijalva/jwt-go#462 [2] dgrijalva/jwt-go#463 [3] https://github.com/dgrijalva/jwt-go/blob/master/README.md [4] https://github.com/golang-jwt/jwt
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -50,6 +50,7 @@ This release adds an embedded SQLite database for storing metadata required by t
 1. [21849](https://github.com/influxdata/influxdb/pull/21849): Specify which fields are missing when rejecting an incomplete onboarding request.
 1. [21839](https://github.com/influxdata/influxdb/pull/21839): Fix display and parsing of `influxd upgrade` CLI prompts in PowerShell.
 1. [21850](https://github.com/influxdata/influxdb/pull/21850): Systemd unit should block on startup until http endpoint is ready
+1. [21925](https://github.com/influxdata/influxdb/pull/21925): Upgrade to golang-jwt 3.2.1.
 
 ## v2.0.7 [2021-06-04]
 
diff --git a/chronograf/influx/authorization.go b/chronograf/influx/authorization.go
@@ -5,7 +5,7 @@ import (
 	"net/http"
 	"time"
 
-	jwt "github.com/dgrijalva/jwt-go"
+	jwt "github.com/golang-jwt/jwt"
 	"github.com/influxdata/influxdb/v2/chronograf"
 )
 
diff --git a/chronograf/influx/influx_test.go b/chronograf/influx/influx_test.go
@@ -10,7 +10,7 @@ import (
 	"testing"
 	"time"
 
-	gojwt "github.com/dgrijalva/jwt-go"
+	gojwt "github.com/golang-jwt/jwt"
 	"github.com/influxdata/influxdb/v2/chronograf"
 	"github.com/influxdata/influxdb/v2/chronograf/influx"
 	"github.com/influxdata/influxdb/v2/chronograf/mocks"
diff --git a/go.mod b/go.mod
@@ -15,7 +15,6 @@ require (
 	github.com/buger/jsonparser v0.0.0-20191004114745-ee4c978eae7e
 	github.com/cespare/xxhash v1.1.0
 	github.com/davecgh/go-spew v1.1.1
-	github.com/dgrijalva/jwt-go v3.2.0+incompatible
 	github.com/dgryski/go-bitstream v0.0.0-20180413035011-3522498ce2c8
 	github.com/docker/docker v1.13.1 // indirect
 	github.com/dustin/go-humanize v1.0.0
@@ -26,6 +25,7 @@ require (
 	github.com/go-chi/chi v4.1.0+incompatible
 	github.com/go-stack/stack v1.8.0
 	github.com/gogo/protobuf v1.3.2
+	github.com/golang-jwt/jwt v3.2.1+incompatible
 	github.com/golang/gddo v0.0.0-20181116215533-9bd4a3295021
 	github.com/golang/mock v1.5.0
 	github.com/golang/protobuf v1.3.3
diff --git a/go.sum b/go.sum
@@ -212,6 +212,8 @@ github.com/gogo/protobuf v1.2.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7a
 github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang-jwt/jwt v3.2.1+incompatible h1:73Z+4BJcrTC+KczS6WvTPvRGOp1WmfEP4Q1lOd9Z/+c=
+github.com/golang-jwt/jwt v3.2.1+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
 github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe h1:lXe2qZdvpiX5WZkZR4hgp4KJVfY3nMkvmwbVkpv1rVY=
 github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0=
 github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0/go.mod h1:E/TSTwGwJL78qG/PmXZO1EjYhfJinVAhrmmHX6Z8B9k=
diff --git a/jsonweb/token.go b/jsonweb/token.go
@@ -5,7 +5,7 @@ import (
 
 	"github.com/influxdata/influxdb/v2/kit/platform"
 
-	"github.com/dgrijalva/jwt-go"
+	"github.com/golang-jwt/jwt"
 	"github.com/influxdata/influxdb/v2"
 )
 
diff --git a/jsonweb/token_test.go b/jsonweb/token_test.go
@@ -6,7 +6,7 @@ import (
 
 	"github.com/influxdata/influxdb/v2/kit/platform"
 
-	"github.com/dgrijalva/jwt-go"
+	"github.com/golang-jwt/jwt"
 	"github.com/google/go-cmp/cmp"
 	"github.com/influxdata/influxdb/v2"
 )

Original file line number	Diff line number	Diff line change
`@@ -5,7 +5,7 @@ import (`
`5`	`5`	`"net/http"`
`6`	`6`	`"time"`
`7`	`7`
`8`		`- jwt "github.com/dgrijalva/jwt-go"`
	`8`	`+ jwt "github.com/golang-jwt/jwt"`
`9`	`9`	`"github.com/influxdata/influxdb/v2/chronograf"`
`10`	`10`	`)`
`11`	`11`
Original file line number	Diff line number	Diff line change
`@@ -5,7 +5,7 @@ import (`
`5`	`5`
`6`	`6`	`"github.com/influxdata/influxdb/v2/kit/platform"`
`7`	`7`
`8`		`- "github.com/dgrijalva/jwt-go"`
	`8`	`+ "github.com/golang-jwt/jwt"`
`9`	`9`	`"github.com/influxdata/influxdb/v2"`
`10`	`10`	`)`
`11`	`11`
Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,7 @@ import (`
`6`	`6`
`7`	`7`	`"github.com/influxdata/influxdb/v2/kit/platform"`
`8`	`8`
`9`		`- "github.com/dgrijalva/jwt-go"`
	`9`	`+ "github.com/golang-jwt/jwt"`
`10`	`10`	`"github.com/google/go-cmp/cmp"`
`11`	`11`	`"github.com/influxdata/influxdb/v2"`
`12`	`12`	`)`