Prevent from Base64 Malleability

[FrancoisCapon]

Hi,

The Pentesterlab API JWT revocation exercise is based on the fact that base64 decoding library accept non canonical form.

The revocation is based on a cache that stores the full JWT token. If an exact match is found in the cache, the JWT is revoked and the request is rejected. However, the match is strictly an exact match and does not account for the malleability of Base64 encoding.

The RFC 4648 talk about this security issue in 3.5 and 12.

@rb-x demonstrates it in this issue (Multiple valid JWT Signatures for HMAC Algorithms).

I used this fact to build base64 steganography tools and in fact it is very easy to detect non canonical form just by checking the last character of the string:

b64_print_regular_characters.sh
...
* List of REGULAR characters with FOUR padding bits (string ends with ==)
A Q g w [AQgw]
...
* List of REGULAR characters with TWO padding bits (string ends with =)
A E I M Q U Y c g k o s w 0 4 8 [AEIMQUYcgkosw048]
...

So, I propose to implement this check in the urlsafe_b64decode(s: bytes) -> bytes function to raise an DecodeError to protect JOSE from any tampering of base64 encoding ⛔ 🏴‍☠️.

• https://pentesterlab.com/exercises/api-jwt-revocation
• https://datatracker.ietf.org/doc/html/rfc4648#section-3.5
• https://datatracker.ietf.org/doc/html/rfc4648#section-12
• Multiple valid JWT Signatures for HMAC Algorithms (base64 malleability) mpdavis/python-jose#365
• https://github.com/FrancoisCapon/Base64SteganographyTools/blob/main/tools/b64_print_regular_characters.sh
• https://github.com/FrancoisCapon/Base64SteganographyTools

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 99.62%. Comparing base (7982683) to head (420c016).
Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main      #51      +/-   ##
==========================================
- Coverage   99.77%   99.62%   -0.15%     
==========================================
  Files          44       44              
  Lines        2642     2655      +13     
  Branches      311      315       +4     
==========================================
+ Hits         2636     2645       +9     
- Misses          4        8       +4     
  Partials        2        2              

Flag	Coverage Δ
unittests	99.62% <100.00%> (-0.15%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.