deps: replace jsrsasign

We were only using a couple of utility functionss to parse tokens, not to validate them in any way.
2020-05-20 13:42:17 +02:00 · 2020-05-20 13:42:17 +02:00 · 70d8fe91c3
parent c6d5e103f5
commit 70d8fe91c3
3 changed files with 50 additions and 12 deletions
--- a/package-lock.json
+++ b/package-lock.json
@ -5313,9 +5313,9 @@
      "integrity": "sha1-eAqZyE59YAJgNhURxId2E78k9rs="
    },
    "base64-js": {
-      "version": "1.2.3",
-      "resolved": "https://registry.npmjs.org/base64-js/-/base64-js-1.2.3.tgz",
-      "integrity": "sha512-MsAhsUW1GxCdgYSO6tAfZrNapmUKk7mWx/k5mFY/A1gBtkaCaNapTg+FExCw1r9yeaZhqx/xPg43xgTFH6KL5w=="
+      "version": "1.3.1",
+      "resolved": "https://registry.npmjs.org/base64-js/-/base64-js-1.3.1.tgz",
+      "integrity": "sha512-mLQ4i2QO1ytvGWFWmcngKO//JXAQueZvwEKtjgQFM4jIK0kU+ytMfplL8j+n5mspOfjHwoAg+9yhb7BwAHm36g=="
    },
    "basic-auth": {
      "version": "2.0.1",
@ -10714,11 +10714,6 @@
        "verror": "1.10.0"
      }
    },
-    "jsrsasign": {
-      "version": "8.0.12",
-      "resolved": "https://registry.npmjs.org/jsrsasign/-/jsrsasign-8.0.12.tgz",
-      "integrity": "sha1-Iqu5ZW00owuVMENnIINeicLlwxY="
-    },
    "jssha": {
      "version": "2.3.1",
      "resolved": "https://registry.npmjs.org/jssha/-/jssha-2.3.1.tgz",
--- a/package.json
+++ b/package.json
@ -41,6 +41,7 @@
    "@tensorflow/tfjs": "1.5.1",
    "@webcomponents/url": "0.7.1",
    "amplitude-js": "4.5.2",
+    "base64-js": "1.3.1",
    "bc-css-flags": "3.0.0",
    "dropbox": "4.0.9",
    "i18n-iso-countries": "3.7.8",
@ -54,7 +55,6 @@
    "jquery-i18next": "1.2.1",
    "js-md5": "0.6.1",
    "js-utils": "github:jitsi/js-utils#cf11996bd866fdb47326c59a5d3bc24be17282d4",
-    "jsrsasign": "8.0.12",
    "jwt-decode": "2.2.0",
    "lib-jitsi-meet": "github:jitsi/lib-jitsi-meet#3c8d411c96fdfa18c57111630f29880f3f72949e",
    "libflacjs": "github:mmig/libflac.js#93d37e7f811f01cf7d8b6a603e38bd3c3810907d",
--- a/react/features/calendar-sync/web/microsoftCalendar.js
+++ b/react/features/calendar-sync/web/microsoftCalendar.js
@ -1,7 +1,8 @@
 // @flow

 import { Client } from '@microsoft/microsoft-graph-client';
-import rs from 'jsrsasign';
+import base64js from 'base64-js';
+
 import type { Dispatch } from 'redux';

 import { createDeferred } from '../../../../modules/util/helpers';
@ -452,8 +453,13 @@ function getValidatedTokenParts(tokenInfo, guids, appId) {
        return null;
    }

-    const payload
-         = rs.KJUR.jws.JWS.readSafeJSONString(rs.b64utoutf8(tokenParts[1]));
+    let payload;
+
+    try {
+        payload = JSON.parse(b64utoutf8(tokenParts[1]));
+    } catch (e) {
+        return null;
+    }

    if (payload.nonce !== guids.authNonce
        || payload.aud !== appId
@ -596,3 +602,40 @@ function s4(num) {

    return ret;
 }
+
+/**
+ * Convert a Base64URL encoded string to a UTF-8 encoded string including CJK or Latin.
+ *
+ * @param {string} str - The string that needs conversion.
+ * @private
+ * @returns {string} - The converted string.
+ */
+function b64utoutf8(str) {
+    let s = str;
+
+    // Convert from Base64URL to Base64.
+
+    if (s.length % 4 === 2) {
+        s += '==';
+    } else if (s.length % 4 === 3) {
+        s += '=';
+    }
+
+    s = s.replace(/-/g, '+').replace(/_/g, '/');
+
+    // Convert Base64 to a byte array.
+
+    const bytes = base64js.toByteArray(s);
+
+    // Convert bytes to hex.
+
+    s = bytes.reduce((str_, byte) => str_ + byte.toString(16).padStart(2, '0'), '');
+
+    // Convert a hexadecimal string to a URLComponent string
+
+    s = s.replace(/(..)/g, '%$1');
+
+    // Decodee the URI component
+
+    return decodeURIComponent(s);
+}