From 1a5e483b541c5fabf13005884bf23aa1d76cdb78 Mon Sep 17 00:00:00 2001 From: Juri Leino Date: Fri, 4 Jun 2021 18:04:49 +0200 Subject: [PATCH] fix(jwt): possible NPE in jwt:encode refs #2 The implementation of `jwt:encode` with arrow expressions failed with an NPE. It does so only when called in a test case as part of an XQSuite. Since this module is considered security relevant code the functon was refactored to be extra sure this will work under all circumstances. If the underlying NPE of the XQuery runtime is fixed the implementation can use arrow expressions again. --- src/content/jwt.xqm | 10 +++++++--- src/test/jwt-spec.xqm | 7 +++++-- src/test/mocha/xqSuite.js | 30 ++++++++++-------------------- 3 files changed, 22 insertions(+), 25 deletions(-) diff --git a/src/content/jwt.xqm b/src/content/jwt.xqm index 263a399..83e0bd3 100644 --- a/src/content/jwt.xqm +++ b/src/content/jwt.xqm @@ -108,11 +108,15 @@ declare function jwt:epoch-to-dateTime($ts as xs:integer) as xs:dateTime { $jwt:epoch-start + xs:dayTimeDuration(concat("PT", $ts, "S")) }; +(:~ + : encode an item() for use in the JWT + : TODO: refactor to use arrow expressions again + : after existdb issue is fixed. + :) declare function jwt:encode ($data as item()) as xs:string { - $data - => serialize(map { "method": "json" }) - => util:base64-encode-url-safe() + util:base64-encode-url-safe( + serialize($data, map { "method": "json" })) }; declare diff --git a/src/test/jwt-spec.xqm b/src/test/jwt-spec.xqm index 9e392d1..9105fa4 100644 --- a/src/test/jwt-spec.xqm +++ b/src/test/jwt-spec.xqm @@ -124,10 +124,13 @@ function jwt-spec:future-token () { (:~ : handle arbitrary token - : NOTE: this test fails with an NPE while calling it from Xquery directly works + : NOTE: + : This test failed with an NPE in jwt:encode while building + : the $jwt:header variable. + : Calling the same code in a module directly always worked fine + : the implementation of jwt:encode was now refactored only to be extra sure. :) declare - %test:pending %test:assertError("invalid-header") function jwt-spec:arbitrary-token-with-separators () { let $instance := jwt-spec:instance() diff --git a/src/test/mocha/xqSuite.js b/src/test/mocha/xqSuite.js index 59e0283..0703a9c 100644 --- a/src/test/mocha/xqSuite.js +++ b/src/test/mocha/xqSuite.js @@ -60,30 +60,20 @@ describe('xqSuite', function () { .catch(done) }) - it('should return 0 errors', done => { - expect(result.errors).to.equal(0) - done() - }) + it('should return 0 errors', + ()=> expect(result.errors).to.equal(0)) - it('should return 0 failures', done => { - expect(result.failures).to.equal(0) - done() - }) + it('should return 0 failures', + ()=> expect(result.failures).to.equal(0)) - it.skip('should return 0 pending tests', done => { - expect(result.pending).to.equal(0) - done() - }) + it('should return 0 pending tests', + ()=> expect(result.pending).to.equal(0)) - it('should have run some tests', done => { - expect(result.tests).to.be.greaterThan(0) - done() - }) + it('should have run 12 tests', + ()=> expect(result.tests).to.equal(12)) - it('should have finished in less than a second', done => { - expect(result.time).to.be.lessThan(1) - done() - }) + it('should have finished in less than a second', + ()=> expect(result.time).to.be.lessThan(1)) after(done => { client.delete(testCollection)