fix: Throw exception on invalid base64

src/JWT.php

@@ -111,14 +111,22 @@ public static function decode(
             throw new UnexpectedValueException('Wrong number of segments');
         }
         list($headb64, $bodyb64, $cryptob64) = $tks;
-        $headerRaw = static::urlsafeB64Decode($headb64);
+        try {
+            $headerRaw = static::urlsafeB64Decode($headb64);
+        } catch (InvalidArgumentException $e) {
+            throw new UnexpectedValueException('Unable to decode header');
+        }
         if (null === ($header = static::jsonDecode($headerRaw))) {
             throw new UnexpectedValueException('Invalid header encoding');
         }
         if ($headers !== null) {
             $headers = $header;
         }
-        $payloadRaw = static::urlsafeB64Decode($bodyb64);
+        try {
+            $payloadRaw = static::urlsafeB64Decode($bodyb64);
+        } catch (InvalidArgumentException $e) {
+            throw new UnexpectedValueException('Unable to decode payload');
+        }
         if (null === ($payload = static::jsonDecode($payloadRaw))) {
             throw new UnexpectedValueException('Invalid claims encoding');
         }
@@ -138,8 +146,13 @@ public static function decode(
         if (isset($payload->exp) && !\is_numeric($payload->exp)) {
             throw new UnexpectedValueException('Payload exp must be a number');
         }
-
-        $sig = static::urlsafeB64Decode($cryptob64);
+
+        try {
+            $sig = static::urlsafeB64Decode($cryptob64);
+        } catch (InvalidArgumentException $e) {
+            throw new UnexpectedValueException('Unable to decode signature');
+        }
+
         if (empty($header->alg)) {
             throw new UnexpectedValueException('Empty algorithm');
         }
@@ -434,11 +447,18 @@ public static function jsonEncode(array $input): string
      *
      * @return string A decoded string
      *
-     * @throws InvalidArgumentException invalid base64 characters
+     * @throws InvalidArgumentException invalid base64URL characters
      */
     public static function urlsafeB64Decode(string $input): string
     {
-        return \base64_decode(self::convertBase64UrlToBase64($input));
+        if (strpbrk($input, '+/=') !== false) {
+            throw new InvalidArgumentException('Input is not valid Base64URL');
+        }
+        $result = \base64_decode(self::convertBase64UrlToBase64($input), true);
+        if ($result === false) {
+            throw new InvalidArgumentException('Input is not valid Base64URL');
+        }
+        return $result;
     }
 
     /**

tests/JWTTest.php

@@ -44,6 +44,25 @@ public function testMalformedJsonThrowsException()
         JWT::jsonDecode('this is not valid JSON string');
     }
 
+    public function testBase64UrlDecode()
+    {
+        $decoded = JWT::urlsafeB64Decode('VGVzdCB3aXRoIGEgbWludXM-');
+        $expected = 'Test with a minus>';
+        $this->assertSame($expected, $decoded);
+    }
+
+    public function testMalformedBase64Url()
+    {
+        $this->expectException(InvalidArgumentException::class);
+        JWT::urlsafeB64Decode('VGVzdCB3aXR&oIGEgbWludXM-');
+    }
+
+    public function testMalformedBase64UrlButValidBase64()
+    {
+        $this->expectException(InvalidArgumentException::class);
+        JWT::urlsafeB64Decode('VGVzdCB3aXRoIGEgc2xhc2g/');
+    }
+
     public function testExpiredToken()
     {
         $this->expectException(ExpiredException::class);