(tooling-trusted-releases) branch arm updated: #671 - validate trusted domains for JWKS URI

Wed, 11 Mar 2026 10:04:39 -0700 

This is an automated email from the ASF dual-hosted git repository.

arm pushed a commit to branch arm
in repository https://gitbox.apache.org/repos/asf/tooling-trusted-releases.git


The following commit(s) were added to refs/heads/arm by this push:
     new 0e4e94a7 #671 - validate trusted domains for JWKS URI
0e4e94a7 is described below

commit 0e4e94a73787381dfce817ececec8f6dae52c678
Author: Alastair McFarlane <[email protected]>
AuthorDate: Wed Mar 11 16:48:55 2026 +0000

    #671 - validate trusted domains for JWKS URI
---
 atr/jwtoken.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/atr/jwtoken.py b/atr/jwtoken.py
index 2cebd4f0..7d119456 100644
--- a/atr/jwtoken.py
+++ b/atr/jwtoken.py
@@ -23,6 +23,7 @@ import os
 import pathlib
 import secrets as secrets
 from typing import TYPE_CHECKING, Any, Final
+from urllib.parse import urlparse
 
 import aiohttp
 import asfquart
@@ -49,6 +50,7 @@ _GITHUB_OIDC_EXPECTED: Final[dict[str, str]] = {
     "runner_environment": "github-hosted",
 }
 _GITHUB_OIDC_ISSUER: Final[str] = "https://token.actions.githubusercontent.com";
+_GITHUB_TRUSTED_DOMAINS: Final[list[str]] = 
["token.actions.githubusercontent.com"]
 _JWT_KEY_APP_EXTENSION: Final[str] = "jwt_secret_key"
 _JWT_KEY_PATH: Final[pathlib.Path] = 
pathlib.Path("secrets/generated/jwt_secret_key.txt")
 _JWT_KEY_TMP_PATH: Final[pathlib.Path] = 
pathlib.Path("secrets/generated/jwt_secret_key.txt.tmp")
@@ -187,6 +189,10 @@ async def verify_github_oidc(token: str) -> dict[str, Any]:
         log.warning(f"Failed to fetch OIDC config: {exc}")
         jwks_uri = f"{_GITHUB_OIDC_ISSUER}/.well-known/jwks"
 
+    if urlparse(jwks_uri).hostname not in _GITHUB_TRUSTED_DOMAINS:
+        log.error(f"Untrusted domain in GitHub OIDC endpoint: {jwks_uri}")
+        raise base.ASFQuartException("Untrusted domain in GitHub OIDC 
endpoint", 502)
+
     jwks_client = jwt.PyJWKClient(jwks_uri)
     signing_key = jwks_client.get_signing_key_from_jwt(token)
     payload = jwt.decode(


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to