signed-integrity: added test for alg: none JWTs (ref. #28)

2022-01-13 01:53:35 +00:00 · 2022-01-13 01:53:35 +00:00 · 5254644402
commit 5254644402
--- a/tests/plugins/signed-integrity.test.js
+++ b/tests/plugins/signed-integrity.test.js
@ -92,6 +92,9 @@ describe("plugin: signed-integrity", () => {
                                    content = '{"test": "fail"}'
                                    status = 404
                                    statusText = "Not Found"
+                                // testing "alg: none" on the integrity JWT
+                                } else if (url == 'https://resilient.is/alg-none.json.integrity') {
+                                    content = noneHeader + '.' + payload + '.'
                                // testing bad signature on the integrity JWT
                                } else if (url == 'https://resilient.is/bad-signature.json.integrity') {
                                    content = header + '.' + payload + '.' + noneSignature
@ -226,6 +229,20 @@ describe("plugin: signed-integrity", () => {
    }
  });
  
+  test("it should refuse to fetch content when integrity data not provided and integrity data URL is fetched, but JWT uses alg: none", async () => {
+    require("../../plugins/signed-integrity.js");
+    
+    expect.assertions(4);
+    try {
+      const response = await LibResilientPluginConstructors.get('signed-integrity')(LR, init).fetch('https://resilient.is/alg-none.json', {});
+    } catch (e) {
+      expect(resolvingFetch).toHaveBeenCalledTimes(1);
+      expect(resolvingFetch).toHaveBeenCalledWith('https://resilient.is/alg-none.json.integrity')
+      expect(e).toBeInstanceOf(Error)
+      expect(e.toString()).toMatch('JWT seems invalid (one or more sections are empty)')
+    }
+  });
+  
  test("it should refuse to fetch content when integrity data not provided and integrity data URL is fetched, but JWT signature check fails", async () => {
    require("../../plugins/signed-integrity.js");
    
--- a/plugins/signed-integrity.js
+++ b/plugins/signed-integrity.js
@ -125,6 +125,11 @@
                    
                    console.log(`JWT b64urlDecoded:\n- ${b64urlDecode(jwt[0])}\n- ${b64urlDecode(jwt[1])}\n- ${b64urlDecode(jwt[2])}`)
                    
+                    // reality check: all parts of the JWT should be non-empty
+                    if ( (jwt[0].length == 0) || (jwt[1].length == 0) || (jwt[2].length == 0) ) {
+                        throw new Error('JWT seems invalid (one or more sections are empty).')
+                    }
+                    
                    // WARNING: this is in neither efficient or clear... but works, and this is a PoC
                    var signature = Uint8Array.from(
                                                Array.from(