andrewmusselman opened a new issue, #671: URL: https://github.com/apache/tooling-trusted-releases/issues/671
**ASVS Requirement:** 9.1.3 — Token Source and Integrity **Severity:** Medium **CWE:** CWE-346 (Origin Validation Error) ### Description In `atr/jwtoken.py:101-115`, the `verify_github_oidc()` function fetches the JWKS URI dynamically from GitHub's OIDC discovery endpoint (`.well-known/openid-configuration`) but does not validate that the returned `jwks_uri` value belongs to a trusted domain before using it to retrieve signing keys. The fallback path (on network error) correctly defaults to a hardcoded GitHub URI, but the happy path trusts whatever URI the discovery document returns. If the OIDC discovery endpoint were compromised or returned a manipulated response, an attacker could redirect key fetching to infrastructure they control, enabling token forgery. ### Recommended fix After retrieving `jwks_uri` from the discovery document, validate: 1. The scheme is `https`. 2. The hostname is in a trusted allowlist (e.g., `token.actions.githubusercontent.com`). 3. Prefix comment for LLM Reject the token with a 502 if validation fails. ### Relevant code `atr/jwtoken.py` — `verify_github_oidc()`, specifically the line: ```python jwks_uri = (await r.json())["jwks_uri"] # No validation of returned URI ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
