This is an automated email from the ASF dual-hosted git repository. arm pushed a commit to branch arm in repository https://gitbox.apache.org/repos/asf/tooling-trusted-releases.git
commit ecdc80cc542a07ff9155ce22a197902e27740d36 Author: Alastair McFarlane <[email protected]> AuthorDate: Wed Mar 11 16:48:55 2026 +0000 #671 - validate trusted domains for JWKS URI --- atr/jwtoken.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/atr/jwtoken.py b/atr/jwtoken.py index 2cebd4f0..7d119456 100644 --- a/atr/jwtoken.py +++ b/atr/jwtoken.py @@ -23,6 +23,7 @@ import os import pathlib import secrets as secrets from typing import TYPE_CHECKING, Any, Final +from urllib.parse import urlparse import aiohttp import asfquart @@ -49,6 +50,7 @@ _GITHUB_OIDC_EXPECTED: Final[dict[str, str]] = { "runner_environment": "github-hosted", } _GITHUB_OIDC_ISSUER: Final[str] = "https://token.actions.githubusercontent.com"; +_GITHUB_TRUSTED_DOMAINS: Final[list[str]] = ["token.actions.githubusercontent.com"] _JWT_KEY_APP_EXTENSION: Final[str] = "jwt_secret_key" _JWT_KEY_PATH: Final[pathlib.Path] = pathlib.Path("secrets/generated/jwt_secret_key.txt") _JWT_KEY_TMP_PATH: Final[pathlib.Path] = pathlib.Path("secrets/generated/jwt_secret_key.txt.tmp") @@ -187,6 +189,10 @@ async def verify_github_oidc(token: str) -> dict[str, Any]: log.warning(f"Failed to fetch OIDC config: {exc}") jwks_uri = f"{_GITHUB_OIDC_ISSUER}/.well-known/jwks" + if urlparse(jwks_uri).hostname not in _GITHUB_TRUSTED_DOMAINS: + log.error(f"Untrusted domain in GitHub OIDC endpoint: {jwks_uri}") + raise base.ASFQuartException("Untrusted domain in GitHub OIDC endpoint", 502) + jwks_client = jwt.PyJWKClient(jwks_uri) signing_key = jwks_client.get_signing_key_from_jwt(token) payload = jwt.decode( --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
