SameerMesiah97 commented on code in PR #63115:
URL: https://github.com/apache/airflow/pull/63115#discussion_r2902804064
##########
airflow-core/src/airflow/api_fastapi/auth/tokens.py:
##########
@@ -326,13 +320,20 @@ async def avalidated_claims(
) -> dict[str, Any]:
"""Decode the JWT token, returning the validated claims or raising an
exception."""
key = await self._get_validation_key(unvalidated)
+ algorithms = self.algorithm
+ validation_key: str | jwt.PyJWK | Any = key
+ if algorithms == ["GUESS"] and isinstance(key, jwt.PyJWK):
+ header = jwt.get_unverified_header(unvalidated)
+ algorithms = [header.get("alg") or key.algorithm_name]
Review Comment:
Copilot hinted at this somewhat with it's suggestions but is slightly
off-mark. I think the bigger issue here is that we're letting the token header
decide the verification algorithm:
`algorithms = [header.get("alg") or key.algorithm_name]`
Since the header is unverified at this point, that effectively lets the
attacker choose the verification algorithm. Shouldn't we just use
`key.algorithm_name` insteed when using JWKS? I believe it would be in line
with the #TODO you removed as well.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
