Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Downgrade jsonwebtoken version to 8.5.1 #297

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Downgrade jsonwebtoken version to 8.5.1 #297

wants to merge 1 commit into from

Conversation

alexandre-tsu-manuel
Copy link

@alexandre-tsu-manuel alexandre-tsu-manuel commented Oct 22, 2024
edited
Loading

Pull Request Description

In PR #132 , the Snyk bot suggested to update the jsonwebtoken module from 8.5.1 to 9.0.0.
Merging it was a bad decision.

JWT 9.0.0 has bugs, notably, it doesn't work when it's used in a browser. See:

The reason why JWT was updated in fireblocks SDK in the first place is nonsensical. This is to fix a security issue, linked in the PR: https://security.snyk.io/vuln/SNYK-JS-JSONWEBTOKEN-3180022

This security issue mentions the possibility to bypass the signature process when giving a null private key for example.
This is not a problem, as the only usage of that module in the fireblocks sdk is to sign data before calling an API: https://github.com/search?q=repo%3Afireblocks%2Ffireblocks-sdk-js%20jsonwebtoken&type=code

Should the signature be bypassed, the API call just won't work, nothing more. No security issue here.

Choosing to update JWT on the other hand, that prevents using the SDK in a browser, which has many interesting use cases.
When trying to integrate, an exception is raised at the first API call:

provider.ts:225 Uncaught (in promise) Error: Fireblocks SDK Error: Right-hand side of 'instanceof' is not an object
    at FireblocksWeb3Provider.createFireblocksError (provider.ts:225:17)
    at FireblocksWeb3Provider.populateAccounts (provider.ts:205:20)

No fix to this has been proposed by the JWT project. The only way to avoid it is to downgrade or use something else.

Therefore, I suggest rolling back this upgrade.

Type of change

  • Bug fix (non-breaking change which fixes an issue)

How Has This Been Tested?

The bug was discovered when trying to use the code provided at https://developers.fireblocks.com/reference/evm-web3-provider
Downgrading the JWT package fixes the exception mentionned above.

  • Locally tested against Fireblocks API

Checklist:

  • I have performed a self-review of my own code
  • I have made corresponding changes to the documentation
  • Any dependent changes have been merged and published in downstream modules
  • I have added corresponding labels to the PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@alexandre-tsu-manuel