From e37ac41afb92dbbcd7f3b836575fbfcbcf37fb16 Mon Sep 17 00:00:00 2001
From: Sebastiaan van Stijn <github@gone.nl>
Date: Wed, 23 Nov 2022 18:02:36 +0100
Subject: [PATCH] vendor: github.com/fernet/fernet-go
 v0.0.0-20211208181803-9f70042a33ee

Fixes a potential panic.

full diff: https://github.com/fernet/fernet-go/compare/9eac43b88a5e...9f70042a33eec190ef525c59806ad5467f2e53c3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 1e48b645389299f9bc65b436e7558a04fa7d6203)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
---
 vendor.mod                                      |  2 +-
 vendor.sum                                      |  4 ++--
 vendor/github.com/fernet/fernet-go/fernet.go    |  6 +++++-
 vendor/github.com/fernet/fernet-go/invalid.json | 14 ++++++++++++++
 vendor/modules.txt                              |  2 +-
 5 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/vendor.mod b/vendor.mod
index d37fae7116..a08c271c68 100644
--- a/vendor.mod
+++ b/vendor.mod
@@ -107,7 +107,7 @@ require (
 	github.com/cyphar/filepath-securejoin v0.2.3 // indirect
 	github.com/dustin/go-humanize v1.0.0 // indirect
 	github.com/felixge/httpsnoop v1.0.2 // indirect
-	github.com/fernet/fernet-go v0.0.0-20180830025343-9eac43b88a5e // indirect
+	github.com/fernet/fernet-go v0.0.0-20211208181803-9f70042a33ee // indirect
 	github.com/fsnotify/fsnotify v1.5.1 // indirect
 	github.com/go-logr/logr v1.2.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
diff --git a/vendor.sum b/vendor.sum
index 75f73b2f01..ecec093071 100644
--- a/vendor.sum
+++ b/vendor.sum
@@ -417,8 +417,8 @@ github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5Kwzbycv
 github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/felixge/httpsnoop v1.0.2 h1:+nS9g82KMXccJ/wp0zyRW9ZBHFETmMGtkk+2CTTrW4o=
 github.com/felixge/httpsnoop v1.0.2/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/fernet/fernet-go v0.0.0-20180830025343-9eac43b88a5e h1:P10tZmVD2XclAaT9l7OduMH1OLFzTa1wUuUqHZnEdI0=
-github.com/fernet/fernet-go v0.0.0-20180830025343-9eac43b88a5e/go.mod h1:2H9hjfbpSMHwY503FclkV/lZTBh2YlOmLLSda12uL8c=
+github.com/fernet/fernet-go v0.0.0-20211208181803-9f70042a33ee h1:v6Eju/FhxsACGNipFEPBZZAzGr1F/jlRQr1qiBw2nEE=
+github.com/fernet/fernet-go v0.0.0-20211208181803-9f70042a33ee/go.mod h1:2H9hjfbpSMHwY503FclkV/lZTBh2YlOmLLSda12uL8c=
 github.com/fluent/fluent-logger-golang v1.9.0 h1:zUdY44CHX2oIUc7VTNZc+4m+ORuO/mldQDA7czhWXEg=
 github.com/fluent/fluent-logger-golang v1.9.0/go.mod h1:2/HCT/jTy78yGyeNGQLGQsjF3zzzAuy6Xlk6FCMV5eU=
 github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
diff --git a/vendor/github.com/fernet/fernet-go/fernet.go b/vendor/github.com/fernet/fernet-go/fernet.go
index 9e4bcce35c..b35fdbbe4f 100644
--- a/vendor/github.com/fernet/fernet-go/fernet.go
+++ b/vendor/github.com/fernet/fernet-go/fernet.go
@@ -30,6 +30,7 @@ const (
 	payOffset         = ivOffset + aes.BlockSize
 	overhead          = 1 + 8 + aes.BlockSize + sha256.Size // ver + ts + iv + hmac
 	maxClockSkew      = 60 * time.Second
+	uint64Bytes       = 8
 )
 
 var encoding = base64.URLEncoding
@@ -63,7 +64,7 @@ func decodedLen(n int) int {
 
 // if msg is nil, decrypts in place and returns a slice of tok.
 func verify(msg, tok []byte, ttl time.Duration, now time.Time, k *Key) []byte {
-	if len(tok) < 1 || tok[0] != version {
+	if len(tok) < 1+uint64Bytes || tok[0] != version {
 		return nil
 	}
 	ts := time.Unix(int64(binary.BigEndian.Uint64(tok[1:])), 0)
@@ -71,6 +72,9 @@ func verify(msg, tok []byte, ttl time.Duration, now time.Time, k *Key) []byte {
 		return nil
 	}
 	n := len(tok) - sha256.Size
+	if n <= 0 {
+		return nil
+	}
 	var hmac [sha256.Size]byte
 	genhmac(hmac[:0], tok[:n], k.signBytes())
 	if subtle.ConstantTimeCompare(tok[n:], hmac[:]) != 1 {
diff --git a/vendor/github.com/fernet/fernet-go/invalid.json b/vendor/github.com/fernet/fernet-go/invalid.json
index d80e7b4a35..ec48ecccf7 100644
--- a/vendor/github.com/fernet/fernet-go/invalid.json
+++ b/vendor/github.com/fernet/fernet-go/invalid.json
@@ -54,5 +54,19 @@
     "now": "1985-10-26T01:20:01-07:00",
     "ttl_sec": 60,
     "secret": "cw_0x689RpI-jtRR7oE8h_eQsKImvJapLeSbXpwF4e4="
+  },
+  {
+    "desc": "very short payload size",
+    "token": "gAAAAABdnQ1TUKh2OE_ggbyCIxfg",
+    "now": "1985-10-26T01:20:01-07:00",
+    "ttl_sec": 0,
+    "secret": "cw_0x689RpI-jtRR7oE8h_eQsKImvJapLeSbXpwF4e4="
+  },
+  {
+    "desc": "super short payload size",
+    "token": "gAAA",
+    "now": "1985-10-26T01:20:01-07:00",
+    "ttl_sec": 0,
+    "secret": "cw_0x689RpI-jtRR7oE8h_eQsKImvJapLeSbXpwF4e4="
   }
 ]
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 74f58450db..22107c9739 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -320,7 +320,7 @@ github.com/dustin/go-humanize
 # github.com/felixge/httpsnoop v1.0.2
 ## explicit; go 1.13
 github.com/felixge/httpsnoop
-# github.com/fernet/fernet-go v0.0.0-20180830025343-9eac43b88a5e
+# github.com/fernet/fernet-go v0.0.0-20211208181803-9f70042a33ee
 ## explicit
 github.com/fernet/fernet-go
 # github.com/fluent/fluent-logger-golang v1.9.0