0

I've been working with json web tokens lately and stumbled upon very interesting bug (or so i think). I'm not pro in programming but a part of the code doesn't make sense to me and I can't understand it whatsoever.

Original function is in package jwkest, function itself is jwkest.jwe.JWEnc.is_jwe

I rewrited it so I have logging of what's happening to this state:

def logged_is_jwe(instance):
    SUPPORTED = {
    "alg": ["RSA1_5", "RSA-OAEP", "RSA-OAEP-256", "A128KW", "A192KW", "A256KW",
            "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW"],
    "enc": ["A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512",
            "A128GCM", "A192GCM", "A256GCM"],}
    log.debug("Checking if JWE -> overriden")
    log.debug(instance.headers)
    if "typ" in instance.headers and instance.headers["typ"].lower() == "jwe":
            log.debug(f'typ checks out: {instance.headers["typ"]}')
            return True

    try:
        alg: bool = "alg" in instance.headers
        enc: bool = "enc" in instance.headers
        log.debug(f'{alg} ^ {enc} -> {alg and enc}')
        assert alg and enc
    except AssertionError:
        log.debug(f'Assertion failed')
        return False
    else:
        log.debug(str("enc" in instance.headers))
        log.debug(str("alg" in instance.headers))
        log.debug(f'assertion checks out: {instance.headers.get("alg", "N/a")}, {instance.headers.get("enc", "N/a")}')
        for typ in ["alg", "enc"]:
            try:
                assert instance.headers[typ] in SUPPORTED[typ]
            except AssertionError:
                log.debug("Not supported %s algorithm: %s" % (
                    typ, instance.headers[typ]))
                return False
    log.debug("JWE")
    return True

where you can clearly see the order of logging etc.

What surprises me is when i see following thing in my log:

rid=n-a [DEBUG] Checking if JWE -> overriden
rid=n-a [DEBUG] {'alg': 'RS256', 'typ': 'JWT', 'kid': '******'}
rid=n-a [DEBUG] True ^ False -> False
rid=n-a [DEBUG] False
rid=n-a [DEBUG] True
rid=n-a [DEBUG] assertion checks out: RS256, N/a
rid=n-a [DEBUG] JWE

Where apparently

assert True and False

Doesn't raise assertion error even though it should.

Can anyone explain?

EDIT: I forgot to menton, following: On my local computer when running app from terminal, this Assertion works correctly, However when i run the app from docker container using UWSGI, this weird behavior is present

Nemo
  • 25
  • 5
  • 1
    It is possible to [turn off assertion errors](https://stackoverflow.com/questions/1273211/disable-assertions-in-python) in python. Sounds like it is your case. Anyway, I tried to reproduce your code and `assert` is working as expected. Example code behavior is not reproducible for my environment. – rzlvmp Feb 22 '23 at 09:46
  • Hey, it might be true, The error only occurs to me when i run the app from docker using uwsgi – Nemo Feb 22 '23 at 09:50

1 Answers1

1

I found out that python optimalization levels ignore Assertions so, when i looked into uwsgi.ini and saw optimize = 2, I understood

Nemo
  • 25
  • 5