andrewmusselman opened a new issue, #707:
URL: https://github.com/apache/tooling-trusted-releases/issues/707
**ASVS:** 15.3.1 · Finding 7
**Severity:** MEDIUM
**CWE:** CWE-200 (Exposure of Sensitive Information)
### Description
JWT/OIDC payload handling in `atr/jwtoken.py` (lines 105–109) uses an
incomplete denylist approach (deleting specific fields) rather than an
allowlist. A commented-out deletion line shows the approach is fragile:
```python
# del payload["actor_id"] # COMMENTED OUT
del payload["repository_id"]
del payload["repository_owner_id"]
del payload["run_id"]
return payload # Returns remaining payload fields — any new fields are
automatically included
```
> **Note:** This is distinct from closed issue #556 (narrow exception
handling in OIDC verification). That addresses error handling; this addresses
payload field filtering.
### Recommendation
Switch to an allowlist or Lax model working like one:
```python
_ALLOWED_FIELDS = {"repository", "repository_owner", "workflow", "ref",
"sha", "job_workflow_ref"}
return {k: v for k, v in payload.items() if k in _ALLOWED_FIELDS}
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
