Merge commit from fork

* Remove strings.Split and add parseToken function * review and add tests

Author: mfridman

jwt_test.go

@@ -0,0 +1,89 @@
+package jwt
+
+import (
+"testing"
+)
+
+funcTestSplitToken(t*testing.T) {
+t.Parallel()
+
+tests:= []struct {
+namestring
+inputstring
+expected []string
+isValidbool
+ }{
+ {
+name: "valid token with three parts",
+input: "header.claims.signature",
+expected: []string{"header", "claims", "signature"},
+isValid: true,
+ },
+ {
+name: "invalid token with two parts only",
+input: "header.claims",
+expected: nil,
+isValid: false,
+ },
+ {
+name: "invalid token with one part only",
+input: "header",
+expected: nil,
+isValid: false,
+ },
+ {
+name: "invalid token with extra delimiter",
+input: "header.claims.signature.extra",
+expected: nil,
+isValid: false,
+ },
+ {
+name: "invalid empty token",
+input: "",
+expected: nil,
+isValid: false,
+ },
+ {
+name: "valid token with empty parts",
+input: "..signature",
+expected: []string{"", "", "signature"},
+isValid: true,
+ },
+ {
+// We are just splitting the token into parts, so we don't care about the actual values.
+// It is up to the caller to validate the parts.
+name: "valid token with all parts empty",
+input: "..",
+expected: []string{"", "", ""},
+isValid: true,
+ },
+ {
+name: "invalid token with just delimiters and extra part",
+input: "...",
+expected: nil,
+isValid: false,
+ },
+ {
+name: "invalid token with many delimiters",
+input: "header.claims.signature..................",
+expected: nil,
+isValid: false,
+ },
+ }
+
+for_, tt:=rangetests {
+t.Run(tt.name, func(t*testing.T) {
+parts, ok:=splitToken(tt.input)
+ifok!=tt.isValid {
+t.Errorf("expected %t, got %t", tt.isValid, ok)
+ }
+ifok {
+fori, part:=rangett.expected {
+ifparts[i] !=part {
+t.Errorf("expected %s, got %s", part, parts[i])
+ }
+ }
+ }
+ })
+ }
+}

parser.go

@@ -8,6 +8,8 @@ import (
 "strings"
 )
 
+consttokenDelimiter="."
+
 typeParserstruct {
 // If populated, only these methods will be considered valid.
 validMethods []string
@@ -136,9 +138,10 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf
 // It's only ever useful in cases where you know the signature is valid (since it has already
 // been or will be checked elsewhere in the stack) and you want to extract values from it.
 func (p*Parser) ParseUnverified(tokenStringstring, claimsClaims) (token*Token, parts []string, errerror) {
-parts=strings.Split(tokenString, ".")
-iflen(parts) !=3 {
-returnnil, parts, newError("token contains an invalid number of segments", ErrTokenMalformed)
+varokbool
+parts, ok=splitToken(tokenString)
+if!ok {
+returnnil, nil, newError("token contains an invalid number of segments", ErrTokenMalformed)
  }
 
 token=&Token{Raw: tokenString}
@@ -196,6 +199,33 @@ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Toke
 returntoken, parts, nil
 }
 
+// splitToken splits a token string into three parts: header, claims, and signature. It will only
+// return true if the token contains exactly two delimiters and three parts. In all other cases, it
+// will return nil parts and false.
+funcsplitToken(tokenstring) ([]string, bool) {
+parts:=make([]string, 3)
+header, remain, ok:=strings.Cut(token, tokenDelimiter)
+if!ok {
+returnnil, false
+ }
+parts[0] =header
+claims, remain, ok:=strings.Cut(remain, tokenDelimiter)
+if!ok {
+returnnil, false
+ }
+parts[1] =claims
+// One more cut to ensure the signature is the last part of the token and there are no more
+// delimiters. This avoids an issue where malicious input could contain additional delimiters
+// causing unecessary overhead parsing tokens.
+signature, _, unexpected:=strings.Cut(remain, tokenDelimiter)
+ifunexpected {
+returnnil, false
+ }
+parts[2] =signature
+
+returnparts, true
+}
+
 // DecodeSegment decodes a JWT specific base64url encoding. This function will
 // take into account whether the [Parser] is configured with additional options,
 // such as [WithStrictDecoding] or [WithPaddingAllowed].