andrewmusselman opened a new issue, #680:
URL: https://github.com/apache/tooling-trusted-releases/issues/680
**Source:** V10.4.2 audit — Observation 2
### Description
In `src/asfquart/generics.py` (line ~69), the OAuth token exchange uses a
Python `assert` statement to verify the response from the authorization server:
```python
assert rv.status == 200, "Could not verify oauth response."
```
`assert` statements are stripped when Python is run with the `-O` (optimize)
flag. If the application were ever started with optimization enabled, this
check would be silently skipped, potentially allowing the OAuth flow to proceed
with a failed or malicious token exchange response.
### Recommendation
1. Document we cannot run with `-O` flag
Or replace with explicit exception handling:
```python
if rv.status != 200:
return quart.Response(status=403, response="OAuth authentication
failed.")
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
