Skip to content

Commit 7165255

Browse files
authored
Fix case-sensitive JWT claim filtering bypass (#1672)
Use case-insensitive comparison when filtering restricted claims in JwtIssuer to prevent bypass via mixed-case claim keys (e.g. SCP, ROLES). Previously, Dictionary.Remove() used the default case-sensitive comparer, allowing uppercase variants to survive filtering.
1 parent 4bd0d2d commit 7165255

1 file changed

Lines changed: 17 additions & 12 deletions

File tree

DevProxy/Jwt/JwtIssuer.cs

Lines changed: 17 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -37,19 +37,24 @@ public JwtSecurityToken CreateSecurityToken(JwtCreatorOptions options)
3737

3838
if (options.Claims is { Count: > 0 } claimsToAdd)
3939
{
40-
// filter out registered claims
41-
// https://www.rfc-editor.org/rfc/rfc7519#section-4.1
42-
_ = claimsToAdd.Remove(JwtRegisteredClaimNames.Iss);
43-
_ = claimsToAdd.Remove(JwtRegisteredClaimNames.Sub);
44-
_ = claimsToAdd.Remove(JwtRegisteredClaimNames.Aud);
45-
_ = claimsToAdd.Remove(JwtRegisteredClaimNames.Exp);
46-
_ = claimsToAdd.Remove(JwtRegisteredClaimNames.Nbf);
47-
_ = claimsToAdd.Remove(JwtRegisteredClaimNames.Iat);
48-
_ = claimsToAdd.Remove(JwtRegisteredClaimNames.Jti);
49-
_ = claimsToAdd.Remove("scp");
50-
_ = claimsToAdd.Remove("roles");
40+
// filter out registered claims using case-insensitive comparison
41+
// https://www.rfc-editor.org/rfc/rfc7519#section-4.1
42+
var restrictedClaims = new HashSet<string>(StringComparer.OrdinalIgnoreCase)
43+
{
44+
JwtRegisteredClaimNames.Iss,
45+
JwtRegisteredClaimNames.Sub,
46+
JwtRegisteredClaimNames.Aud,
47+
JwtRegisteredClaimNames.Exp,
48+
JwtRegisteredClaimNames.Nbf,
49+
JwtRegisteredClaimNames.Iat,
50+
JwtRegisteredClaimNames.Jti,
51+
"scp",
52+
"roles"
53+
};
5154

52-
identity.AddClaims(claimsToAdd.Select(kvp => new Claim(kvp.Key, kvp.Value)));
55+
identity.AddClaims(claimsToAdd
56+
.Where(kvp => !restrictedClaims.Contains(kvp.Key))
57+
.Select(kvp => new Claim(kvp.Key, kvp.Value)));
5358
}
5459

5560
// Although the JwtPayload supports having multiple audiences registered, the

0 commit comments

Comments
 (0)