andrewmusselman opened a new issue, #779: URL: https://github.com/apache/tooling-trusted-releases/issues/779
**Source:** ASVS 2.2.2 Finding 11 **CWE:** CWE-20 (Improper Input Validation) **Location:** `atr/api/__init__.py`, lines 658–664 #### Description The `_jwt_asf_uid()` function validates the type of the JWT `sub` claim but not its format. Since this value is used in authorization decisions, it should be validated against the expected ASF UID pattern. #### Recommendation Add comment to runbook explaining this is validated downstream -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
