From 73b2f988c4475ae130f1d9436954c2abd3358545 Mon Sep 17 00:00:00 2001 From: reimda Date: Mon, 2 Nov 2020 09:07:37 -0700 Subject: [PATCH] Update jwt-go module to address CVE-2020-26160 (#8337) --- go.mod | 2 +- go.sum | 2 ++ plugins/inputs/dcos/client.go | 4 ++-- plugins/inputs/dcos/client_test.go | 2 +- plugins/inputs/dcos/dcos.go | 2 +- scripts/check-deps.sh | 6 ++++++ 6 files changed, 13 insertions(+), 5 deletions(-) diff --git a/go.mod b/go.mod index ecc7f1d9f..81464d821 100644 --- a/go.mod +++ b/go.mod @@ -39,7 +39,7 @@ require ( github.com/couchbase/gomemcached v0.0.0-20180502221210-0da75df14530 // indirect github.com/couchbase/goutils v0.0.0-20180530154633-e865a1461c8a // indirect github.com/denisenkom/go-mssqldb v0.0.0-20190707035753-2be1aa521ff4 - github.com/dgrijalva/jwt-go v3.2.0+incompatible + github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1 github.com/dimchansky/utfbom v1.1.0 github.com/docker/distribution v2.6.0-rc.1.0.20170726174610-edc3ab29cdff+incompatible // indirect github.com/docker/docker v17.12.0-ce-rc1.0.20200916142827-bd33bbf0497b+incompatible diff --git a/go.sum b/go.sum index 37d106f3f..866e6d15d 100644 --- a/go.sum +++ b/go.sum @@ -162,6 +162,8 @@ github.com/devigned/tab v0.1.1 h1:3mD6Kb1mUOYeLpJvTVSDwSg5ZsfSxfvxGRTxRsJsITA= github.com/devigned/tab v0.1.1/go.mod h1:XG9mPq0dFghrYvoBF3xdRrJzSTX1b7IQrvaL9mzjeJY= github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM= github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= +github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1 h1:CaO/zOnF8VvUfEbhRatPcwKVWamvbYd8tQGRWacE9kU= +github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1/go.mod h1:+hnT3ywWDTAFrW5aE+u2Sa/wT555ZqwoCS+pk3p6ry4= github.com/dimchansky/utfbom v1.1.0 h1:FcM3g+nofKgUteL8dm/UpdRXNC9KmADgTpLKsu0TRo4= github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8= github.com/docker/distribution v2.6.0-rc.1.0.20170726174610-edc3ab29cdff+incompatible h1:357nGVUC8gSpeSc2Axup8HfrfTLLUfWfCsCUhiQSKIg= diff --git a/plugins/inputs/dcos/client.go b/plugins/inputs/dcos/client.go index c7561ee35..8f171638a 100644 --- a/plugins/inputs/dcos/client.go +++ b/plugins/inputs/dcos/client.go @@ -10,7 +10,7 @@ import ( "net/url" "time" - jwt "github.com/dgrijalva/jwt-go" + jwt "github.com/dgrijalva/jwt-go/v4" ) const ( @@ -330,7 +330,7 @@ func (c *ClusterClient) createLoginToken(sa *ServiceAccount) (string, error) { UID: sa.AccountID, StandardClaims: jwt.StandardClaims{ // How long we have to login with this token - ExpiresAt: time.Now().Add(5 * time.Minute).Unix(), + ExpiresAt: jwt.At(time.Now().Add(5 * time.Minute)), }, }) return token.SignedString(sa.PrivateKey) diff --git a/plugins/inputs/dcos/client_test.go b/plugins/inputs/dcos/client_test.go index 7d154a43e..0b7772dcc 100644 --- a/plugins/inputs/dcos/client_test.go +++ b/plugins/inputs/dcos/client_test.go @@ -8,7 +8,7 @@ import ( "net/url" "testing" - jwt "github.com/dgrijalva/jwt-go" + jwt "github.com/dgrijalva/jwt-go/v4" "github.com/influxdata/telegraf/testutil" "github.com/stretchr/testify/require" ) diff --git a/plugins/inputs/dcos/dcos.go b/plugins/inputs/dcos/dcos.go index d74c79249..1cdd40f11 100644 --- a/plugins/inputs/dcos/dcos.go +++ b/plugins/inputs/dcos/dcos.go @@ -9,7 +9,7 @@ import ( "sync" "time" - jwt "github.com/dgrijalva/jwt-go" + jwt "github.com/dgrijalva/jwt-go/v4" "github.com/influxdata/telegraf" "github.com/influxdata/telegraf/filter" "github.com/influxdata/telegraf/internal" diff --git a/scripts/check-deps.sh b/scripts/check-deps.sh index b76d47d57..c52c553f5 100755 --- a/scripts/check-deps.sh +++ b/scripts/check-deps.sh @@ -51,6 +51,12 @@ for dep in $(LC_ALL=C sort -u "${tmpdir}/golist"); do echo "${dep}" >> "${tmpdir}/HEAD" done +# If there are two versions of a library that have the same base (like +# github.com/foo/bar github.com/foo/bar/v3) there will be a duplicate +# in the list. Remove duplicates again. +mv "${tmpdir}/HEAD" "${tmpdir}/HEAD-dup" +uniq "${tmpdir}/HEAD-dup" > "${tmpdir}/HEAD" + grep '^-' docs/LICENSE_OF_DEPENDENCIES.md | grep -v github.com/DataDog/datadog-agent | cut -f 2 -d' ' > "${tmpdir}/LICENSE_OF_DEPENDENCIES.md" diff -U0 "${tmpdir}/LICENSE_OF_DEPENDENCIES.md" "${tmpdir}/HEAD" || {