This is an automated email from the ASF dual-hosted git repository. arm pushed a commit to branch arm in repository https://gitbox.apache.org/repos/asf/tooling-trusted-releases.git
commit fa6f64d609316e7158e02899ef802a893b9893cc Author: Alastair McFarlane <[email protected]> AuthorDate: Wed Mar 11 17:55:55 2026 +0000 #671 - validate https scheme for github oidc --- atr/jwtoken.py | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/atr/jwtoken.py b/atr/jwtoken.py index 7d119456..7b9700df 100644 --- a/atr/jwtoken.py +++ b/atr/jwtoken.py @@ -22,8 +22,8 @@ import functools import os import pathlib import secrets as secrets +import urllib.parse as parse from typing import TYPE_CHECKING, Any, Final -from urllib.parse import urlparse import aiohttp import asfquart @@ -189,10 +189,16 @@ async def verify_github_oidc(token: str) -> dict[str, Any]: log.warning(f"Failed to fetch OIDC config: {exc}") jwks_uri = f"{_GITHUB_OIDC_ISSUER}/.well-known/jwks" - if urlparse(jwks_uri).hostname not in _GITHUB_TRUSTED_DOMAINS: + url = parse.urlparse(jwks_uri) + + if url.hostname not in _GITHUB_TRUSTED_DOMAINS: log.error(f"Untrusted domain in GitHub OIDC endpoint: {jwks_uri}") raise base.ASFQuartException("Untrusted domain in GitHub OIDC endpoint", 502) + if url.scheme != "https": + log.error(f"Github OIDC returned insecure URI: {jwks_uri}") + raise base.ASFQuartException("Github OIDC returned insecure URI", 502) + jwks_client = jwt.PyJWKClient(jwks_uri) signing_key = jwks_client.get_signing_key_from_jwt(token) payload = jwt.decode( --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
