Skip to content

BUG(isJWT): validate decoded header and payload as JSON objects #2677

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Kartikeya-guthub wants to merge 11 commits into
base: master
Choose a base branch
from
Open

BUG(isJWT): validate decoded header and payload as JSON objects #2677

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
657328d
fix(isJWT): validate Base64url-decoded header and payload are JSON ob…
Kartikeya-guthub Mar 7, 2026
3233fb7
test(isJWT)
Kartikeya-guthub Mar 7, 2026
d141406
fix(isJWT):
Kartikeya-guthub Mar 7, 2026
f44c09e
test(isJWT): add cases to cover line 12 and line 34 branches
Kartikeya-guthub Mar 7, 2026
018dfb4
fix(isJWT): replace Buffer.from with cross-env decode helper; add uns…
Kartikeya-guthub Mar 7, 2026
32c48e3
chore(isJWT): ignore cross-env fallback from coverage
Kartikeya-guthub Mar 7, 2026
6853ed2
fix(isJWT): replace padStart, scope istanbul ignore, fix test padding
Kartikeya-guthub Mar 7, 2026
eaeaeb0
chore(isJWT): add istanbul ignore for old Node Buffer fallback
Kartikeya-guthub Mar 7, 2026
81ac039
chore(isJWT): ignore Buffer undefined else branch
Kartikeya-guthub Mar 7, 2026
cdea4ec
fix(isJWT): require non-empty signature unless alg is none (RFC 7519 …
Kartikeya-guthub Mar 7, 2026
6aae9bc
revert(isJWT): remove alg check for empty signature, simplify header …
Kartikeya-guthub Mar 7, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 27 additions & 5 deletions src/lib/isJWT.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,15 +1,37 @@
import assertString from './util/assertString';
import isBase64 from './isBase64';

function tryDecodeJSON(segment) {
if (!isBase64(segment, { urlSafe: true })) return false;
try {
// Normalize base64url alphabet to base64, then restore stripped padding
let b64 = segment.replace(/-/g, '+').replace(/_/g, '/');
while (b64.length % 4) b64 += '=';
const decoded = Buffer.from(b64, 'base64').toString('utf8');
Copy link

Copilot AI Mar 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Buffer.from(...) is used to decode base64, but Buffer is Node-specific and Buffer.from is not available on the minimum supported Node versions (package.json declares node >= 0.10). This will also break the browser UMD build unless a Buffer polyfill is guaranteed. Consider switching to a runtime-agnostic base64url decode implementation (e.g., atob/TextDecoder in browsers with a safe fallback for old Node), or gate the Buffer path behind an availability check and provide a non-Buffer fallback.

Suggested change
function tryDecodeJSON(segment) {
if (!isBase64(segment, { urlSafe: true })) return false;
try {
// Normalize base64url alphabet to base64, then restore stripped padding
let b64 = segment.replace(/-/g, '+').replace(/_/g, '/');
while (b64.length % 4) b64 += '=';
const decoded = Buffer.from(b64, 'base64').toString('utf8');
function decodeBase64UrlToUtf8(b64) {
// Prefer Node.js Buffer when available (supports old Node via `new Buffer`).
if (typeof Buffer !== 'undefined') {
if (typeof Buffer.from === 'function') {
return Buffer.from(b64, 'base64').toString('utf8');
}
// Fallback for very old Node versions where Buffer.from is not available.
// eslint-disable-next-line no-buffer-constructor
return new Buffer(b64, 'base64').toString('utf8');
}
// Browser / non-Node environment: use atob/TextDecoder if available.
if (typeof atob === 'function') {
const binary = atob(b64);
// If TextDecoder is available, use it for proper UTF-8 decoding.
if (typeof TextDecoder !== 'undefined') {
const bytes = new Uint8Array(binary.length);
for (let i = 0; i < binary.length; i += 1) {
bytes[i] = binary.charCodeAt(i);
}
return new TextDecoder('utf-8').decode(bytes);
}
// Fallback UTF-8 decoding using percent-encoding.
let encoded = '';
for (let i = 0; i < binary.length; i += 1) {
const code = binary.charCodeAt(i).toString(16).padStart(2, '0');
encoded += '%' + code;
}
return decodeURIComponent(encoded);
}
// As a last resort, return the input unchanged.
return b64;
}
function tryDecodeJSON(segment) {
if (!isBase64(segment, { urlSafe: true })) return false;
try {
// Normalize base64url alphabet to base64, then restore stripped padding
let b64 = segment.replace(/-/g, '+').replace(/_/g, '/');
while (b64.length % 4) b64 += '=';
const decoded = decodeBase64UrlToUtf8(b64);

Copilot uses AI. Check for mistakes.
const parsed = JSON.parse(decoded);
if (typeof parsed !== 'object') return false;
if (parsed === null) return false;
if (Array.isArray(parsed)) return false;
return true;
} catch (e) {
return false;
}
}

export default function isJWT(str) {
assertString(str);

const dotSplit = str.split('.');
const len = dotSplit.length;

if (len !== 3) {
return false;
}
if (dotSplit.length !== 3) return false;

const header = dotSplit[0];
const payload = dotSplit[1];
const signature = dotSplit[2];

if (!tryDecodeJSON(header)) return false;
if (!tryDecodeJSON(payload)) return false;
if (!isBase64(signature, { urlSafe: true })) return false;

return dotSplit.reduce((acc, currElem) => acc && isBase64(currElem, { urlSafe: true }), true);
return true;
}
13 changes: 13 additions & 0 deletions test/validators.test.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5549,6 +5549,19 @@ describe('Validators', () => {
'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NSIsIm5hbWUiOiJKb2huIERvZSIsImlhdCI6MTYxNjY1Mzg3Mn0.eyJpc3MiOiJodHRwczovL2V4YW1wbGUuY29tIiwiaWF0IjoxNjE2NjUzODcyLCJleHAiOjE2MTY2NTM4ODJ9.a1jLRQkO5TV5y5ERcaPAiM9Xm2gBdRjKrrCpHkGr_8M',
'$Zs.ewu.su84',
'ks64$S/9.dy$§kz.3sd73b',
'foo.bar.',
'..',
'.t.',
'foo.bar.baz',
'Zm9v.YmFy.',
Comment on lines +5553 to +5557
Copy link

Copilot AI Mar 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR description mentions adding a test for an unsecured JWT with an empty signature (alg: none), but this test block only adds additional invalid cases. Consider adding an explicit valid token where the header sets alg to none and the signature segment is empty (trailing dot) to ensure the intended behavior is actually covered.

Copilot uses AI. Check for mistakes.
Copy link
Contributor Author

@Kartikeya-guthub Kartikeya-guthub Mar 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed

'eyJmb28iOiJiYXIifQ.YmFy.',
'Zm9v.eyJiYXIiOiJiYXoifQ.',
'W10=.eyJiYXIiOiJiYXoifQ.',
'eyJmb28iOiJiYXIifQ.W10=.',
Copy link

Copilot AI Mar 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some of the newly added invalid JWT fixtures include = padding in header/payload segments (e.g., W10=). Since isBase64(..., { urlSafe: true }) rejects =, these cases fail before exercising the new base64url normalization + JSON parsing logic. If the intent is to test “non-object decoded values”, use the unpadded base64url forms (e.g., W10 for []) so the decode/parse path is actually covered.

Suggested change
'W10=.eyJiYXIiOiJiYXoifQ.',
'eyJmb28iOiJiYXIifQ.W10=.',
'W10.eyJiYXIiOiJiYXoifQ.',
'eyJmb28iOiJiYXIifQ.W10.',

Copilot uses AI. Check for mistakes.
'bnVsbA.eyJiYXIiOiJiYXoifQ.',
'WzFd.eyJiYXIiOiJiYXoifQ.',
'ImhlbGxvIg.eyJiYXIiOiJiYXoifQ.',
'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.invalid$sig',
],
error: [
[],
Expand Down
Loading