targets/python-jose/server.py · JWT Differential Fuzzer

50 lines · python

import json
from http.server import BaseHTTPRequestHandler, HTTPServer
 
from jose import jwt
import jose
 
LIB_ID = "pyjose"
LIB_VERSION = getattr(jose, "__version__", "unknown")
 
def verdict(payload):
    token = payload["token"]
    key = payload["key"]
    algs = payload["algs"]
    try:
        claims = jwt.decode(token, key, algorithms=algs)
        return {"valid": True, "claims": claims, "error": None,
                "lib": LIB_ID, "version": LIB_VERSION}
    except Exception as e:
        return {"valid": False, "claims": None,
                "error": f"{type(e).__name__}: {e}",
                "lib": LIB_ID, "version": LIB_VERSION}
 
class Handler(BaseHTTPRequestHandler):
    def log_message(self, *_):
        pass
 
    def do_POST(self):
        if self.path != "/verify":
            self.send_response(404)
            self.end_headers()
            return
        n = int(self.headers.get("Content-Length", 0))
        try:
            payload = json.loads(self.rfile.read(n))
        except Exception:
            self.send_response(400)
            self.end_headers()
            self.wfile.write(b'{"error":"bad json"}')
            return
        out = verdict(payload)
        body = json.dumps(out).encode()
        self.send_response(200)
        self.send_header("Content-Type", "application/json")
        self.send_header("Content-Length", str(len(body)))
        self.end_headers()
        self.wfile.write(body)
 
if __name__ == "__main__":
    print(f"[{LIB_ID} {LIB_VERSION}] listening :7003")
    HTTPServer(("0.0.0.0", 7003), Handler).serve_forever()

1	import json
2	from http.server import BaseHTTPRequestHandler, HTTPServer
3
4	from jose import jwt
5	import jose
6
7	LIB_ID = "pyjose"
8	LIB_VERSION = getattr(jose, "__version__", "unknown")
9
10	def verdict(payload):
11	token = payload["token"]
12	key = payload["key"]
13	algs = payload["algs"]
14	try:
15	claims = jwt.decode(token, key, algorithms=algs)
16	return {"valid": True, "claims": claims, "error": None,
17	"lib": LIB_ID, "version": LIB_VERSION}
18	except Exception as e:
19	return {"valid": False, "claims": None,
20	"error": f"{type(e).__name__}: {e}",
21	"lib": LIB_ID, "version": LIB_VERSION}
22
23	class Handler(BaseHTTPRequestHandler):
24	def log_message(self, *_):
25	pass
26
27	def do_POST(self):
28	if self.path != "/verify":
29	self.send_response(404)
30	self.end_headers()
31	return
32	n = int(self.headers.get("Content-Length", 0))
33	try:
34	payload = json.loads(self.rfile.read(n))
35	except Exception:
36	self.send_response(400)
37	self.end_headers()
38	self.wfile.write(b'{"error":"bad json"}')
39	return
40	out = verdict(payload)
41	body = json.dumps(out).encode()
42	self.send_response(200)
43	self.send_header("Content-Type", "application/json")
44	self.send_header("Content-Length", str(len(body)))
45	self.end_headers()
46	self.wfile.write(body)
47
48	if __name__ == "__main__":
49	print(f"[{LIB_ID} {LIB_VERSION}] listening :7003")
50	HTTPServer(("0.0.0.0", 7003), Handler).serve_forever()