Fix memory leaks and grammar errors, add Dockerfile.test for Valgrind testing

maximmasiutin · maximmasiutin · commit f444de22f6fd · 2025-12-01T20:26:38.000+02:00
diff --git a/.gitattributes b/.gitattributes
@@ -1 +1,2 @@
 *.sh text eol=lf
+.github.workflows.trivy-analysis.yaml text eol=lf
diff --git a/.github/workflows/trivy-analysis.yaml b/.github/workflows/trivy-analysis.yaml
@@ -19,18 +19,18 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4.2.2
+        uses: actions/checkout@v5
 
       - name: Run Trivy vulnerability scanner on the cloned repository files
-        uses: aquasecurity/trivy-action@0.30.0
+        uses: aquasecurity/trivy-action@0.33.1
         with:
-          version: 'v0.61.1'
+          version: 'v0.67.0'
           scan-type: 'fs'
           scanners: 'vuln,misconfig,secret,license'
           ignore-unfixed: true
           format: 'sarif'
           output: ${{ env.SARIF_FILE }}
-          severity: 'CRITICAL'
+          severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
 
       - name: Check Trivy scan results existence
         run: |
@@ -41,7 +41,7 @@ jobs:
           ls -lash ${{ env.SARIF_FILE }}
           
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3.28.16
+        uses: github/codeql-action/upload-sarif@v4
         with:
           sarif_file: ${{ env.SARIF_FILE }}
 
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,6 @@
 FROM frolvlad/alpine-gcc:latest
-RUN apk add --quiet --no-cache libressl-dev make
+# Update packages to get latest security fixes for OpenSSL (CVE-2025-9230, CVE-2025-9231, CVE-2025-9232)
+RUN apk update && apk upgrade --no-cache && apk add --quiet --no-cache libressl-dev make
 
 # Create non-root user and group
 RUN addgroup -S appgroup && adduser -S appuser -G appgroup
@@ -10,8 +11,8 @@ COPY Makefile /opt/src/
 COPY entrypoint.sh /
 
 WORKDIR /opt/src
+# Note: Only need one make command on Alpine Linux (macOS paths removed)
 RUN make
-RUN make OPENSSL=/usr/local/opt/openssl/include OPENSSL_LIB=-L/usr/local/opt/openssl/lib
 RUN ["chmod", "+x", "/entrypoint.sh"]
 RUN ["chmod", "+x", "/opt/src/jwtcrack"]
 
diff --git a/Dockerfile.test b/Dockerfile.test
@@ -0,0 +1,22 @@
+FROM frolvlad/alpine-gcc:latest
+# Update packages to get latest security fixes for OpenSSL (CVE-2025-9230, CVE-2025-9231, CVE-2025-9232)
+RUN apk update && apk upgrade --no-cache && apk add --quiet --no-cache libressl-dev make valgrind bash coreutils
+
+# Create non-root user for security (AVD-DS-0002)
+RUN addgroup -S testgroup && adduser -S testuser -G testgroup
+
+COPY ./*.h /opt/src/
+COPY ./*.c /opt/src/
+COPY Makefile /opt/src/
+COPY test_security.sh /opt/src/
+
+WORKDIR /opt/src
+
+# Build with debug symbols for better Valgrind output
+RUN make CFLAGS="-g -O0"
+RUN chmod +x /opt/src/test_security.sh
+RUN chown -R testuser:testgroup /opt/src
+
+USER testuser
+
+CMD ["/opt/src/test_security.sh"]
diff --git a/README.md b/README.md
@@ -16,6 +16,17 @@ docker build . -t jwtcrack
 docker run -it --rm  jwtcrack eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.cAOIAifu3fykvhkHpbuhbvtH807-Z2rI1FS3vX1XMjE
 ```
 
+## Testing with Docker
+
+Build and run the test image which includes Valgrind for memory leak detection:
+
+```
+docker build -f Dockerfile.test -t jwtcrack-test .
+docker run --rm jwtcrack-test
+```
+
+This runs a functional test with 20 threads and a Valgrind memory check.
+
 ## Manual Compilation
 
 Make sure you have openssl's headers installed.
@@ -78,6 +89,6 @@ $ > ./jwtcrack eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzM4NCJ9.eyJyb2xlIjoiYWRtaW4ifQ.31xCH
 ## IMPORTANT: Known bugs
 
 The base64 implementation I use (from Apple) is sometimes buggy because not every Base64 implementation is the same.
-So sometimes, decrypting of your Base64 token will only work partially and thus you will be able to find a secret to your token that is not the correct one.
+So sometimes, decrypting your Base64 token will only work partially and thus you will be able to find a secret to your token that is not the correct one.
 
 If someone is willing to implement a more robust Base64 implementation, that would be great :)
diff --git a/base64.c b/base64.c
@@ -87,12 +87,14 @@
 #include "base64.h"
 
 /* aaaack but it's fast and const should make it shared text page. */
+/* Modified to support both Base64 (+/) and Base64URL (-_) per RFC 4648 */
 static const unsigned char pr2six[256] =
 {
     /* ASCII table */
     64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
     64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
-    64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 62, 64, 63,
+ /* sp  !   "   #   $   %   &   '   (   )   *   +   ,   -   .   /  */
+    64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 62, 64, 62, 64, 63,
     52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 64, 64, 64, 64, 64, 64,
     64,  0,  1,  2,  3,  4,  5,  6,  7,  8,  9, 10, 11, 12, 13, 14,
     15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 64, 64, 64, 64, 63,
@@ -149,7 +151,7 @@ int Base64decode(char *bufplain, const char *bufcoded)
     nprbytes -= 4;
     }
 
-    /* Note: (nprbytes == 1) would be an error, so just ingore that case */
+    /* Note: (nprbytes == 1) would be an error, so just ignore that case */
     if (nprbytes > 1) {
     *(bufout++) =
         (unsigned char) (pr2six[*bufin] << 2 | pr2six[bufin[1]] >> 4);
diff --git a/entrypoint.sh b/entrypoint.sh
@@ -1,2 +1,2 @@
 #!/bin/sh
-/opt/src/jwtcrack $@
+/opt/src/jwtcrack "$@"
diff --git a/main.c b/main.c
diff --git a/test_security.sh b/test_security.sh

Original file line number	Diff line number	Diff line change
`@@ -1 +1,2 @@`
`1`	`1`	`*.sh text eol=lf`
	`2`	`+.github.workflows.trivy-analysis.yaml text eol=lf`
Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`	`1`	`#!/bin/sh`
`2`		`-/opt/src/jwtcrack $@`
	`2`	`+/opt/src/jwtcrack "$@"`