fix(isJWT): validate Base64url-decoded header and payload are JSON objects (fixes #2511)

Author: Kartikeya-guthub

src/lib/isJWT.js

@@ -1,15 +1,34 @@
 import assertString from './util/assertString';
 import isBase64 from './isBase64';
 
+function tryDecodeJSON(segment) {
+  if (!isBase64(segment, { urlSafe: true })) return false;
+  try {
+    // Normalize base64url alphabet to base64, then restore stripped padding
+    let b64 = segment.replace(/-/g, '+').replace(/_/g, '/');
+    while (b64.length % 4) b64 += '=';
+    const decoded = Buffer.from(b64, 'base64').toString('utf8');
+    const parsed = JSON.parse(decoded);
+    return typeof parsed === 'object' && parsed !== null && !Array.isArray(parsed);
+  } catch (e) {
+    return false;
+  }
+}
+
 export default function isJWT(str) {
   assertString(str);
 
   const dotSplit = str.split('.');
-  const len = dotSplit.length;
 
-  if (len !== 3) {
-    return false;
-  }
+  if (dotSplit.length !== 3) return false;
+
+  const header = dotSplit[0];
+  const payload = dotSplit[1];
+  const signature = dotSplit[2];
+
+  if (!tryDecodeJSON(header)) return false;
+  if (!tryDecodeJSON(payload)) return false;
+  if (!isBase64(signature, { urlSafe: true })) return false;
 
-  return dotSplit.reduce((acc, currElem) => acc && isBase64(currElem, { urlSafe: true }), true);
+  return true;
 }

test/validators.test.js

@@ -5549,6 +5549,15 @@ describe('Validators', () => {
         'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NSIsIm5hbWUiOiJKb2huIERvZSIsImlhdCI6MTYxNjY1Mzg3Mn0.eyJpc3MiOiJodHRwczovL2V4YW1wbGUuY29tIiwiaWF0IjoxNjE2NjUzODcyLCJleHAiOjE2MTY2NTM4ODJ9.a1jLRQkO5TV5y5ERcaPAiM9Xm2gBdRjKrrCpHkGr_8M',
         '$Zs.ewu.su84',
         'ks64$S/9.dy$§kz.3sd73b',
+        'foo.bar.',
+        '..',
+        '.t.',
+        'foo.bar.baz',
+        'Zm9v.YmFy.',
+        'eyJmb28iOiJiYXIifQ.YmFy.',
+        'Zm9v.eyJiYXIiOiJiYXoifQ.',
+        'W10=.eyJiYXIiOiJiYXoifQ.',
+        'eyJmb28iOiJiYXIifQ.W10=.',
       ],
       error: [
         [],