asf-tooling opened a new issue, #1118: URL: https://github.com/apache/tooling-trusted-releases/issues/1118
**ASVS Level(s):** L1 **Description:** ### Summary The `verify()` function in `atr/jwtoken.py` performs an unverified JWT decode to extract the 'sub' claim for logging context (`log.set_asf_uid()`) before the verified signature check completes. This allows an attacker to inject arbitrary usernames into authentication failure log entries. The unverified decode happens first with verify_signature=False, then the sub claim is used for logging, and only afterward does signature verification occur. This creates a TOCTOU (Time-of-check Time-of-use) race condition where unverified data is used before verification completes. ### Details In `atr/jwtoken.py` at lines 108-112, the function performs unverified decode and uses the sub claim for logging before signature verification is complete. ### Recommended Remediation Refactor the `verify()` function to perform verified JWT decode first before using any claims data. Move the `jwt.decode()` call with signature verification to the beginning of the function, then extract the sub claim from the verified claims dictionary for logging. Alternative: If logging is needed for failed attempts, only log unverified claims in exception handlers with clear warnings that the subject is unverified. ### Acceptance Criteria - [ ] Verified decode performed before using claims - [ ] No unverified claims used for security decisions - [ ] Logging uses verified claims only - [ ] Unit tests verify correct decode order ### References - Source reports: L1:9.1.1.md - Related findings: FINDING-268 - ASVS sections: 9.1.1 ### Priority Low --- -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
