andrewmusselman opened a new issue, #540: URL: https://github.com/apache/tooling-trusted-releases/issues/540
## Summary JWT token IDs are generated with only 64 bits of entropy, below the ASVS requirement of 128 bits for non-guessable tokens. ## ASVS Requirements - 4.4.1 - Access control tokens - 12.2.1 - Random values entropy ## Related Audit Reports - [Weak Cryptography #399](ASVS/weak-cryptography-399.md) - Section 2, Issue 1 - [Internal Access #402](ASVS/internal-access-402.md) - Section 2.3.1 - [Brute Force #405](ASVS/brute-force-identification-405.md) - Section 6.4.1 ## Affected Files - `atr/jwtoken.py:53` ## Current Behavior ```python "jti": secrets.token_hex(8), # Only 64 bits of entropy ``` ## Recommended Fix ```python "jti": secrets.token_hex(16), # 128 bits of entropy per ASVS 12.2.1 ``` ## Acceptance Criteria - [ ] JWT ID changed to `secrets.token_hex(16)` - [ ] Existing JWTs still valid until expiration - [ ] Unit test updated -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
