This is an automated email from the ASF dual-hosted git repository.
arm pushed a commit to branch arm
in repository https://gitbox.apache.org/repos/asf/tooling-trusted-releases.git
The following commit(s) were added to refs/heads/arm by this push:
new d6e74ad1 #671 - validate https scheme for github oidc
d6e74ad1 is described below
commit d6e74ad19f100d17642ce4843e2ee312cf69a816
Author: Alastair McFarlane <[email protected]>
AuthorDate: Wed Mar 11 17:55:55 2026 +0000
#671 - validate https scheme for github oidc
---
atr/jwtoken.py | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/atr/jwtoken.py b/atr/jwtoken.py
index 7d119456..7b9700df 100644
--- a/atr/jwtoken.py
+++ b/atr/jwtoken.py
@@ -22,8 +22,8 @@ import functools
import os
import pathlib
import secrets as secrets
+import urllib.parse as parse
from typing import TYPE_CHECKING, Any, Final
-from urllib.parse import urlparse
import aiohttp
import asfquart
@@ -189,10 +189,16 @@ async def verify_github_oidc(token: str) -> dict[str,
Any]:
log.warning(f"Failed to fetch OIDC config: {exc}")
jwks_uri = f"{_GITHUB_OIDC_ISSUER}/.well-known/jwks"
- if urlparse(jwks_uri).hostname not in _GITHUB_TRUSTED_DOMAINS:
+ url = parse.urlparse(jwks_uri)
+
+ if url.hostname not in _GITHUB_TRUSTED_DOMAINS:
log.error(f"Untrusted domain in GitHub OIDC endpoint: {jwks_uri}")
raise base.ASFQuartException("Untrusted domain in GitHub OIDC
endpoint", 502)
+ if url.scheme != "https":
+ log.error(f"Github OIDC returned insecure URI: {jwks_uri}")
+ raise base.ASFQuartException("Github OIDC returned insecure URI", 502)
+
jwks_client = jwt.PyJWKClient(jwks_uri)
signing_key = jwks_client.get_signing_key_from_jwt(token)
payload = jwt.decode(
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
