andrewmusselman opened a new issue, #556:
URL: https://github.com/apache/tooling-trusted-releases/issues/556
## Summary
Overly broad exception handling in OIDC verification catches all errors
including SSL failures, silently falling back to hardcoded URI.
## ASVS Requirements
- 10.4.2 - OAuth/OIDC authorization server security
## Related Audit Reports
- [Universal Spoofing #401](ASVS/universal-spoofing-401.md) - Section 4
## Affected Files
- `atr/jwtoken.py:94-101`
## Current Behavior
```python
except Exception: # Catches ALL errors including SSL failures
jwks_uri = f"{_GITHUB_OIDC_ISSUER}/.well-known/jwks"
```
## Recommended Fix (Needs reworking)
```python
except aiohttp.ClientSSLError as e:
log.error(f"TLS failure fetching OIDC config: {e}")
raise base.ASFQuartException("OIDC unavailable", errorcode=503)
except aiohttp.ClientError as e:
log.warning(f"Failed to fetch OIDC config: {e}")
jwks_uri = f"{_GITHUB_OIDC_ISSUER}/.well-known/jwks"
```
## Acceptance Criteria
- [ ] Specific exception types caught
- [ ] SSL failures logged and not silently ignored
- [ ] Timeout increased from 5s to 10s
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
