spec for CVE-2023-51774 mitigation

nov · nov · commit 22fce184d450 · 2024-03-07T08:06:49.000+09:00
diff --git a/spec/json/jwt_spec.rb b/spec/json/jwt_spec.rb
@@ -504,6 +504,14 @@
         end
       end
     end
+
+    context 'when JWS & JWE can be mixed-up (CVE-2023-51774)' do
+      it do
+        expect do
+          JSON::JWT.decode 'header.encrypted_key.iv.cipher_text.authentication_tag', 'secret', nil, nil, true
+        end.to raise_error JSON::JWT::InvalidFormat
+      end
+    end
   end
 
   describe '.pretty_generate' do
