fix: reject + and / in the no-native-fromBase64 decode fallback#879
Open
spokodev wants to merge 1 commit into
Open
fix: reject + and / in the no-native-fromBase64 decode fallback#879spokodev wants to merge 1 commit into
spokodev wants to merge 1 commit into
Conversation
When `Uint8Array.fromBase64` is unavailable, base64url `decode()` falls
back to translating `-_` to `+/` and decoding via `atob`, which accepts
the standard-Base64 characters `+` and `/`. The native path
(`Uint8Array.fromBase64(input, { alphabet: 'base64url' })`) rejects them,
so the same input is accepted on runtimes without the native method and
rejected on runtimes with it.
Reject `+` and `/` in the fallback before the `-_` -> `+/` translation,
matching the native path. Only those two characters change behaviour;
padding and whitespace handled by `atob` are untouched.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
base64url.decode()decodes the same input differently across runtimes when it contains+or/.The native path rejects them, since they are not in the Base64URL alphabet:
The fallback (runtimes without
Uint8Array.fromBase64) translates-_→+/and decodes viaatob, which accepts standard-Base64+and/:So the same JWS/JWE/JWT segment is accepted on a runtime without the native method and rejected on one with it:
This is a portability inconsistency rather than a security issue (a forged signature still fails verification), but a given segment should decode the same way on every runtime, and the fallback should match the alphabet the native path already enforces.
Fix
Reject
+and/in the fallback before the-_→+/translation, so it behaves like the native path. Only those two characters change; the padding and whitespace thatatobtolerates are untouched.Tests
Added a unit test exercising both paths (native, and the fallback forced by removing
Uint8Array.fromBase64):+//are rejected and valid base64url still decodes. The fallback case fails onmainand passes with the fix.