[Feature] Fix Helm & JWT CVE's (#1890)

Author: ajanikow

.golangci.yaml

@@ -183,6 +183,8 @@ linters-settings:
         pkg: strings
       - alias: goHttp
         pkg: net/http
+      - alias: jwt
+        pkg: github.com/golang-jwt/jwt/v5
   gci:
     sections:
       - standard

CHANGELOG.md

@@ -5,6 +5,7 @@
 - (Bugfix) Prevent UpToDate Condition changes during Action processing
 - (Feature) (Platform) Reorganize Envoy Auth
 - (Feature) Ensure Group Service Type
+- (Maintenance) Fix Helm & JWT CVE's
 
 ## [1.2.48](https://github.com/arangodb/kube-arangodb/tree/1.2.48) (2025-05-08)
 - (Maintenance) Extend Documentation

go.mod

@@ -14,19 +14,21 @@ replace (
 	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.31.8
 	k8s.io/apimachinery => k8s.io/apimachinery v0.31.8
 	k8s.io/apiserver => k8s.io/apiserver v0.31.8
+	k8s.io/cli-runtime => k8s.io/cli-runtime v0.31.8
 	k8s.io/client-go => k8s.io/client-go v0.31.8
 	k8s.io/cloud-provider => k8s.io/cloud-provider v0.31.8
 	k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.31.8
 	k8s.io/code-generator => ./deps/k8s.io/code-generator
 	k8s.io/component-base => k8s.io/component-base v0.31.8
+	k8s.io/kubectl => k8s.io/kubectl v0.31.8
 	k8s.io/kubernetes => k8s.io/kubernetes v0.31.8
 	k8s.io/metrics => k8s.io/metrics v0.31.8
 )
 
 require (
 	github.com/arangodb-helper/go-certificates v0.0.0-20180821055445-9fca24fc2680
 	github.com/arangodb-helper/go-helper v0.4.2
-	github.com/arangodb/arangosync-client v0.9.0
+	github.com/arangodb/arangosync-client v0.9.1
 	github.com/arangodb/go-driver v1.6.6
 	github.com/arangodb/go-driver/v2 v2.1.3
 	github.com/arangodb/go-upgrade-rules v0.0.0-20180809110947-031b4774ff21
@@ -38,7 +40,6 @@ require (
 	github.com/envoyproxy/go-control-plane v0.13.1
 	github.com/fsnotify/fsnotify v1.7.0
 	github.com/gin-gonic/gin v1.9.1
-	github.com/golang-jwt/jwt v3.2.2+incompatible
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/uuid v1.6.0
 	github.com/jessevdk/go-assets v0.0.0-20160921144138-4f4301a06e15
@@ -64,10 +65,10 @@ require (
 	google.golang.org/grpc v1.70.0
 	google.golang.org/protobuf v1.36.5
 	gopkg.in/yaml.v3 v3.0.1
-	k8s.io/api v0.31.8
-	k8s.io/apiextensions-apiserver v0.31.8
-	k8s.io/apimachinery v0.31.8
-	k8s.io/client-go v0.31.8
+	k8s.io/api v0.32.2
+	k8s.io/apiextensions-apiserver v0.32.2
+	k8s.io/apimachinery v0.32.2
+	k8s.io/client-go v0.32.2
 	k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f
 	sigs.k8s.io/yaml v1.4.0
 )
@@ -78,10 +79,11 @@ require (
 	github.com/arangodb-managed/integration-apis v0.2.1
 	github.com/aws/aws-sdk-go v1.55.6
 	github.com/go-logr/zerologr v1.2.3
+	github.com/golang-jwt/jwt/v5 v5.2.2
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.1
 	github.com/jedib0t/go-pretty/v6 v6.6.5
 	google.golang.org/genproto/googleapis/api v0.0.0-20250204164813-702378808489
-	helm.sh/helm/v3 v3.16.4
+	helm.sh/helm/v3 v3.17.3
 	k8s.io/klog/v2 v2.130.1
 )
 
@@ -142,7 +144,6 @@ require (
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/goccy/go-json v0.10.2 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang-jwt/jwt/v5 v5.2.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/google/btree v1.0.1 // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
@@ -222,10 +223,10 @@ require (
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
-	k8s.io/apiserver v0.31.8 // indirect
-	k8s.io/cli-runtime v0.31.8 // indirect
-	k8s.io/component-base v0.31.8 // indirect
-	k8s.io/kubectl v0.31.8 // indirect
+	k8s.io/apiserver v0.32.2 // indirect
+	k8s.io/cli-runtime v0.32.2 // indirect
+	k8s.io/component-base v0.32.2 // indirect
+	k8s.io/kubectl v0.32.2 // indirect
 	k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 // indirect
 	oras.land/oras-go v1.2.5 // indirect
 	sigs.k8s.io/controller-runtime v0.16.3 // indirect

go.sum

@@ -838,6 +838,8 @@ github.com/arangodb-managed/integration-apis v0.2.1 h1:/crCuhBCIIvx+r+RC3cMJ7Mo5
 github.com/arangodb-managed/integration-apis v0.2.1/go.mod h1:yMK28s6LsYk7j0NfmuutYRSJI47iCcTTNWXmYGmi1h8=
 github.com/arangodb/arangosync-client v0.9.0 h1:XhY+5gGGpl9Gk8Prqmdv0SpK3HydFUXvN2CmTIKUxKI=
 github.com/arangodb/arangosync-client v0.9.0/go.mod h1:kU2UaOkv2AeHLAFMEo4Ug3qLbUQVKOuRtkfr6pZqmuk=
+github.com/arangodb/arangosync-client v0.9.1 h1:zq5JUjNK51tWKjA0FARouAiI+A8QtwHs0353K+PUo9k=
+github.com/arangodb/arangosync-client v0.9.1/go.mod h1:5f4j6DJ95IetZw67Yqy91Ptz2R5xzaVoawV2bHVRuHw=
 github.com/arangodb/go-agency-helper v0.4.1 h1:p/lbjz0ludEw30ig/Dv+lueZAIHIsTmXp/HQm5t5F94=
 github.com/arangodb/go-agency-helper v0.4.1/go.mod h1:IMzQ1JilLu764DgFQ1qh21jPEzsMohcWQ4334BBxixE=
 github.com/arangodb/go-driver v1.2.1/go.mod h1:zdDkJJnCj8DAkfbtIjIXnsTrWIiy6VhP3Vy14p+uQeY=
@@ -2595,6 +2597,8 @@ helm.sh/helm/v3 v3.16.2 h1:Y9v7ry+ubQmi+cb5zw1Llx8OKHU9Hk9NQ/+P+LGBe2o=
 helm.sh/helm/v3 v3.16.2/go.mod h1:SyTXgKBjNqi2NPsHCW5dDAsHqvGIu0kdNYNH9gQaw70=
 helm.sh/helm/v3 v3.16.4 h1:rBn/h9MACw+QlhxQTjpl8Ifx+VTWaYsw3rguGBYBzr0=
 helm.sh/helm/v3 v3.16.4/go.mod h1:k8QPotUt57wWbi90w3LNmg3/MWcLPigVv+0/X4B8BzA=
+helm.sh/helm/v3 v3.17.3 h1:3n5rW3D0ArjFl0p4/oWO8IbY/HKaNNwJtOQFdH2AZHg=
+helm.sh/helm/v3 v3.17.3/go.mod h1:+uJKMH/UiMzZQOALR3XUf3BLIoczI2RKKD6bMhPh4G8=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
@@ -2639,6 +2643,8 @@ k8s.io/cli-runtime v0.31.1 h1:/ZmKhmZ6hNqDM+yf9s3Y4KEYakNXUn5sod2LWGGwCuk=
 k8s.io/cli-runtime v0.31.1/go.mod h1:pKv1cDIaq7ehWGuXQ+A//1OIF+7DI+xudXtExMCbe9U=
 k8s.io/cli-runtime v0.31.8 h1:58BF5fJFn0rBlz0U3JXQmvyWf1Be3BX6qhCUhO1/4QU=
 k8s.io/cli-runtime v0.31.8/go.mod h1:/44n6BZ3M5DbT+RVma6AzfLfZ8c8v8tq+ATDoeOkas0=
+k8s.io/cli-runtime v0.32.2 h1:aKQR4foh9qeyckKRkNXUccP9moxzffyndZAvr+IXMks=
+k8s.io/cli-runtime v0.32.2/go.mod h1:a/JpeMztz3xDa7GCyyShcwe55p8pbcCVQxvqZnIwXN8=
 k8s.io/client-go v0.31.1 h1:f0ugtWSbWpxHR7sjVpQwuvw9a3ZKLXX0u0itkFXufb0=
 k8s.io/client-go v0.31.1/go.mod h1:sKI8871MJN2OyeqRlmA4W4KM9KBdBUpDLu/43eGemCg=
 k8s.io/client-go v0.31.2 h1:Y2F4dxU5d3AQj+ybwSMqQnpZH9F30//1ObxOKlTI9yc=
@@ -2681,6 +2687,8 @@ k8s.io/kubectl v0.31.1 h1:ih4JQJHxsEggFqDJEHSOdJ69ZxZftgeZvYo7M/cpp24=
 k8s.io/kubectl v0.31.1/go.mod h1:aNuQoR43W6MLAtXQ/Bu4GDmoHlbhHKuyD49lmTC8eJM=
 k8s.io/kubectl v0.31.8 h1:qBSmBBMACJ2fpClRdzh6o5yYzYl4Nt9kIzQBmlBYCRI=
 k8s.io/kubectl v0.31.8/go.mod h1:ZAxEoXDcdJlgmxuJo5zzHmkjWKgicaGErw/9KgaB6Sw=
+k8s.io/kubectl v0.32.2 h1:TAkag6+XfSBgkqK9I7ZvwtF0WVtUAvK8ZqTt+5zi1Us=
+k8s.io/kubectl v0.32.2/go.mod h1:+h/NQFSPxiDZYX/WZaWw9fwYezGLISP0ud8nQKg+3g8=
 k8s.io/metrics v0.31.2 h1:sQhujR9m3HN/Nu/0fTfTscjnswQl0qkQAodEdGBS0N4=
 k8s.io/metrics v0.31.2/go.mod h1:QqqyReApEWO1UEgXOSXiHCQod6yTxYctbAAQBWZkboU=
 k8s.io/metrics v0.31.5 h1:0QQQ20yA3IdXyXC0CXLveRwOXF0ekCuPf6iNKVqXIbw=

pkg/api/auth.go

@@ -27,7 +27,7 @@ import (
 	"fmt"
 	"time"
 
-	jg "github.com/golang-jwt/jwt"
+	jwt "github.com/golang-jwt/jwt/v5"
 	core "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/equality"
 	meta "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -424,7 +424,7 @@ func AppendKeyfileToKeyfolder(ctx context.Context, cachedStatus inspectorInterfa
 }
 
 var (
-	exporterTokenClaims = jg.MapClaims{
+	exporterTokenClaims = jwt.MapClaims{
 		token.ClaimISS: token.ClaimISSValue,
 		"server_id":    "exporter",
 		"allowed_paths": []interface{}{"/_admin/statistics", "/_admin/statistics-description",
@@ -490,18 +490,13 @@ func (r *Resources) ensureExporterTokenSecretCreateRequired(cachedStatus inspect
 			return true, true, errors.WithStack(err)
 		}
 
-		token, err := jg.Parse(string(data), func(token *jg.Token) (i interface{}, err error) {
-			return []byte(secret), nil
-		})
+		token, err := token.Parse(string(data), []byte(secret))
 
 		if err != nil {
 			return true, true, nil
 		}
 
-		tokenClaims, ok := token.Claims.(jg.MapClaims)
-		if !ok {
-			return true, true, nil
-		}
+		tokenClaims := jwt.MapClaims(token)
 
 		return !equality.Semantic.DeepDerivative(tokenClaims, exporterTokenClaims), true, nil
 	}

pkg/api/jwt.go

@@ -1,7 +1,7 @@
 //
 // DISCLAIMER
 //
-// Copyright 2024 ArangoDB GmbH, Cologne, Germany
+// Copyright 2024-2025 ArangoDB GmbH, Cologne, Germany
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -21,26 +21,11 @@
 package token
 
 import (
-	jg "github.com/golang-jwt/jwt"
+	jwt "github.com/golang-jwt/jwt/v5"
 
 	"github.com/arangodb/kube-arangodb/pkg/util/errors"
 )
 
 func IsSignatureInvalidError(err error) bool {
-	return isJQError(err, jg.ErrSignatureInvalid)
-}
-
-func isJQError(err, expected error) bool {
-	if err == nil || expected == nil {
-		return false
-	}
-
-	var v *jg.ValidationError
-	if errors.As(err, &v) {
-		if errors.Is(v.Inner, expected) {
-			return true
-		}
-	}
-
-	return false
+	return errors.Is(err, jwt.ErrSignatureInvalid)
 }

pkg/deployment/resources/secrets.go

@@ -23,10 +23,10 @@ package token
 import (
 	"time"
 
-	jg "github.com/golang-jwt/jwt"
+	jwt "github.com/golang-jwt/jwt/v5"
 )
 
-var defaultTokenClaims = jg.MapClaims{
+var defaultTokenClaims = jwt.MapClaims{
 	ClaimISS: ClaimISSValue,
 }
 

pkg/util/token/errors.go

@@ -1,7 +1,7 @@
 //
 // DISCLAIMER
 //
-// Copyright 2024 ArangoDB GmbH, Cologne, Germany
+// Copyright 2024-2025 ArangoDB GmbH, Cologne, Germany
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -21,21 +21,29 @@
 package token
 
 import (
-	jg "github.com/golang-jwt/jwt"
+	jwt "github.com/golang-jwt/jwt/v5"
 
 	"github.com/arangodb/kube-arangodb/pkg/util/errors"
 )
 
-func Parse(token string, secret []byte) (Claims, error) {
-	parsedToken, err := jg.Parse(token, func(token *jg.Token) (i interface{}, err error) {
-		return secret, nil
-	})
+var NotValidToken = errors.Errorf("Token is not valid")
 
+func Parse(token string, secret []byte) (Claims, error) {
+	parsedToken, err := jwt.Parse(token,
+		func(token *jwt.Token) (i interface{}, err error) {
+			return secret, nil
+		},
+		jwt.WithIssuedAt(),
+	)
 	if err != nil {
 		return nil, err
 	}
 
-	tokenClaims, ok := parsedToken.Claims.(jg.MapClaims)
+	if !parsedToken.Valid {
+		return nil, NotValidToken
+	}
+
+	tokenClaims, ok := parsedToken.Claims.(jwt.MapClaims)
 	if !ok {
 		return nil, errors.Errorf("Invalid token provided")
 	}
@@ -56,8 +64,5 @@ func ParseWithAny(token string, secrets ...[]byte) (Claims, error) {
 		}
 	}
 
-	return nil, &jg.ValidationError{
-		Inner:  jg.ErrSignatureInvalid,
-		Errors: 1,
-	}
+	return nil, jwt.ErrSignatureInvalid
 }

pkg/util/token/mods.go

@@ -21,7 +21,7 @@
 package token
 
 import (
-	jg "github.com/golang-jwt/jwt"
+	jwt "github.com/golang-jwt/jwt/v5"
 
 	"github.com/arangodb/kube-arangodb/pkg/util/errors"
 )
@@ -41,7 +41,7 @@ func NewClaims() Claims {
 	return Claims{}
 }
 
-type Claims jg.MapClaims
+type Claims jwt.MapClaims
 
 func (t Claims) With(mods ...Mod) Claims {
 	q := t
@@ -58,7 +58,7 @@ func (t Claims) With(mods ...Mod) Claims {
 }
 
 func New(secret []byte, claims map[string]interface{}) (string, error) {
-	token := jg.NewWithClaims(jg.SigningMethodHS256, jg.MapClaims(claims))
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims(claims))
 
 	// Sign and get the complete encoded token as a string using the secret
 	signedToken, err := token.SignedString(secret)