From 3700db6dd5b6154ee2c641f34eee8a84686c9373 Mon Sep 17 00:00:00 2001
From: Renovate Bot <forgejo-renovate-action@forgejo.org>
Date: Sat, 22 Mar 2025 15:51:41 +0000
Subject: [PATCH] Update module github.com/golang-jwt/jwt/v5 to v5.2.2
 [SECURITY] (forgejo) (#7296)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [github.com/golang-jwt/jwt/v5](https://github.com/golang-jwt/jwt) | require | patch | `v5.2.1` -> `v5.2.2` |

---

### jwt-go allows excessive memory allocation during header parsing
[CVE-2025-30204](https://nvd.nist.gov/vuln/detail/CVE-2025-30204) / [GHSA-mh63-6h87-95cp](https://github.com/advisories/GHSA-mh63-6h87-95cp)

<details>
<summary>More information</summary>

#### Details
##### Summary

Function [`parse.ParseUnverified`](https://github.com/golang-jwt/jwt/blob/c035977d9e11c351f4c05dfeae193923cbab49ee/parser.go#L138-L139) currently splits (via a call to [strings.Split](https://pkg.go.dev/strings#Split)) its argument (which is untrusted data) on periods.

As a result, in the face of a malicious request whose _Authorization_ header consists of `Bearer ` followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: [CWE-405: Asymmetric Resource Consumption (Amplification)](https://cwe.mitre.org/data/definitions/405.html)

##### Details

See [`parse.ParseUnverified`](https://github.com/golang-jwt/jwt/blob/c035977d9e11c351f4c05dfeae193923cbab49ee/parser.go#L138-L139)

##### Impact

Excessive memory allocation

#### Severity
- CVSS Score: 7.5 / 10 (High)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`

#### References
- [https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp](https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp)
- [https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3](https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3)
- [https://github.com/golang-jwt/jwt](https://github.com/golang-jwt/jwt)

This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-mh63-6h87-95cp) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>golang-jwt/jwt (github.com/golang-jwt/jwt/v5)</summary>

### [`v5.2.2`](https://github.com/golang-jwt/jwt/releases/tag/v5.2.2)

[Compare Source](https://github.com/golang-jwt/jwt/compare/v5.2.1...v5.2.2)

#### What's Changed

-   Fixed https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp by [@&#8203;mfridman](https://github.com/mfridman)
-   Fixed some typos by [@&#8203;Ashikpaul](https://github.com/Ashikpaul) in https://github.com/golang-jwt/jwt/pull/382
-   build: add go1.22 to ci workflows by [@&#8203;mfridman](https://github.com/mfridman) in https://github.com/golang-jwt/jwt/pull/383
-   Bump golangci/golangci-lint-action from 4 to 5 by [@&#8203;dependabot](https://github.com/dependabot) in https://github.com/golang-jwt/jwt/pull/387
-   Bump golangci/golangci-lint-action from 5 to 6 by [@&#8203;dependabot](https://github.com/dependabot) in https://github.com/golang-jwt/jwt/pull/389
-   chore: bump ci tests to include go1.23 by [@&#8203;mfridman](https://github.com/mfridman) in https://github.com/golang-jwt/jwt/pull/405
-   Fix jwt -show by [@&#8203;AlexanderYastrebov](https://github.com/AlexanderYastrebov) in https://github.com/golang-jwt/jwt/pull/406
-   docs: typo by [@&#8203;kvii](https://github.com/kvii) in https://github.com/golang-jwt/jwt/pull/407
-   Update SECURITY.md by [@&#8203;oxisto](https://github.com/oxisto) in https://github.com/golang-jwt/jwt/pull/416
-   Update `jwt.Parse` example to use `jwt.WithValidMethods` by [@&#8203;mattt](https://github.com/mattt) in https://github.com/golang-jwt/jwt/pull/425

#### New Contributors

-   [@&#8203;Ashikpaul](https://github.com/Ashikpaul) made their first contribution in https://github.com/golang-jwt/jwt/pull/382
-   [@&#8203;kvii](https://github.com/kvii) made their first contribution in https://github.com/golang-jwt/jwt/pull/407
-   [@&#8203;mattt](https://github.com/mattt) made their first contribution in https://github.com/golang-jwt/jwt/pull/425

**Full Changelog**: https://github.com/golang-jwt/jwt/compare/v5.2.1...v5.2.2

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - "* 0-3 * * *" (UTC).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yMDUuMSIsInVwZGF0ZWRJblZlciI6IjM5LjIwNS4xIiwidGFyZ2V0QnJhbmNoIjoiZm9yZ2VqbyIsImxhYmVscyI6WyJkZXBlbmRlbmN5LXVwZ3JhZGUiLCJ0ZXN0L25vdC1uZWVkZWQiXX0=-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7296
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
Co-committed-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index 03b95cf748..18381a6e1c 100644
--- a/go.mod
+++ b/go.mod
@@ -53,7 +53,7 @@ require (
 	github.com/gobwas/glob v0.2.3
 	github.com/gogs/chardet v0.0.0-20211120154057-b7413eaefb8f
 	github.com/gogs/go-gogs-client v0.0.0-20210131175652-1d7215cd8d85
-	github.com/golang-jwt/jwt/v5 v5.2.1
+	github.com/golang-jwt/jwt/v5 v5.2.2
 	github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0
 	github.com/google/go-github/v64 v64.0.0
 	github.com/google/pprof v0.0.0-20241017200806-017d972448fc
diff --git a/go.sum b/go.sum
index 657b80d4a7..b6d508faba 100644
--- a/go.sum
+++ b/go.sum
@@ -985,8 +985,8 @@ github.com/gogs/go-gogs-client v0.0.0-20210131175652-1d7215cd8d85 h1:UjoPNDAQ5JP
 github.com/gogs/go-gogs-client v0.0.0-20210131175652-1d7215cd8d85/go.mod h1:fR6z1Ie6rtF7kl/vBYMfgD5/G5B1blui7z426/sj2DU=
 github.com/golang-jwt/jwt/v4 v4.5.1 h1:JdqV9zKUdtaa9gdPlywC3aeoEsR681PlKC+4F5gQgeo=
 github.com/golang-jwt/jwt/v4 v4.5.1/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
-github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
-github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
+github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8=
+github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 h1:au07oEsX2xN0ktxqI+Sida1w446QrXBRJ0nee3SNZlA=
 github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0=
 github.com/golang-sql/sqlexp v0.1.0 h1:ZCD6MBpcuOVfGVqsEmY5/4FtYiKz6tSyUv9LPEDei6A=