jws: improve fix for CVE-2025-22868

The fix for CVE-2025-22868 relies on strings.Count, which isn't ideal
because it precludes failing fast when the token contains an unexpected
number of periods. Moreover, Verify still allocates more than necessary.

Eschew strings.Count in favor of strings.Cut. Some benchmark results:

goos: darwin
goarch: amd64
pkg: golang.org/x/oauth2/jws
cpu: Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz
                              │      old       │                 new                 │
                              │     sec/op     │   sec/op     vs base                │
Verify/full_of_periods-8        24862.50n ± 1%   57.87n ± 0%  -99.77% (p=0.000 n=20)
Verify/two_trailing_periods-8      3.485m ± 1%   3.445m ± 1%   -1.13% (p=0.003 n=20)
geomean                            294.3µ        14.12µ       -95.20%

                              │     old      │                  new                   │
                              │     B/op     │     B/op      vs base                  │
Verify/full_of_periods-8          16.00 ± 0%     16.00 ± 0%        ~ (p=1.000 n=20) ¹
Verify/two_trailing_periods-8   2.001Mi ± 0%   1.001Mi ± 0%  -49.98% (p=0.000 n=20)
geomean                         5.658Ki        4.002Ki       -29.27%
¹ all samples are equal

                              │     old     │                 new                  │
                              │  allocs/op  │ allocs/op   vs base                  │
Verify/full_of_periods-8         1.000 ± 0%   1.000 ± 0%        ~ (p=1.000 n=20) ¹
Verify/two_trailing_periods-8   12.000 ± 0%   9.000 ± 0%  -25.00% (p=0.000 n=20)
geomean                          3.464        3.000       -13.40%
¹ all samples are equal

Also, remove all remaining calls to strings.Split.

Updates golang/go#71490

Change-Id: Icac3c7a81562161ab6533d892ba19247d6d5b943
GitHub-Last-Rev: 3a82900f747798f5f36065126385880277c0fce7
GitHub-Pull-Request: golang/oauth2#774
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/655455
Commit-Queue: Neal Patel <nealpatel@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Neal Patel <nealpatel@google.com>
Auto-Submit: Neal Patel <nealpatel@google.com>
2 files changed
tree: 8818f62bec9f9dbd259cb9daf21ae1248170722b
  1. amazon/
  2. authhandler/
  3. bitbucket/
  4. cern/
  5. clientcredentials/
  6. endpoints/
  7. facebook/
  8. fitbit/
  9. foursquare/
  10. github/
  11. gitlab/
  12. google/
  13. heroku/
  14. hipchat/
  15. instagram/
  16. internal/
  17. jira/
  18. jws/
  19. jwt/
  20. kakao/
  21. linkedin/
  22. mailchimp/
  23. mailru/
  24. mediamath/
  25. microsoft/
  26. nokiahealth/
  27. odnoklassniki/
  28. paypal/
  29. slack/
  30. spotify/
  31. stackoverflow/
  32. twitch/
  33. uber/
  34. vk/
  35. yahoo/
  36. yandex/
  37. .travis.yml
  38. CONTRIBUTING.md
  39. deviceauth.go
  40. deviceauth_test.go
  41. example_test.go
  42. go.mod
  43. go.sum
  44. LICENSE
  45. oauth2.go
  46. oauth2_test.go
  47. pkce.go
  48. README.md
  49. token.go
  50. token_test.go
  51. transport.go
  52. transport_test.go
README.md

OAuth2 for Go

Go Reference Build Status

oauth2 package contains a client implementation for OAuth 2.0 spec.

See pkg.go.dev for further documentation and examples.

Policy for new endpoints

We no longer accept new provider-specific packages in this repo if all they do is add a single endpoint variable. If you just want to add a single endpoint, add it to the pkg.go.dev/golang.org/x/oauth2/endpoints package.

Report Issues / Send Patches

The main issue tracker for the oauth2 repository is located at https://github.com/golang/oauth2/issues.

This repository uses Gerrit for code changes. To learn how to submit changes to this repository, see https://go.dev/doc/contribute.

The git repository is https://go.googlesource.com/oauth2.

Note:

  • Excluding trivial changes, all contributions should be connected to an existing issue.
  • API changes must go through the change proposal process before they can be accepted.
  • The code owners are listed at dev.golang.org/owners.