[I] `nbf` Claim Not Enforced as Required in ATR JWT Verification (tooling-trusted-releases)

Fri, 03 Apr 2026 15:24:29 -0700 


asf-tooling opened a new issue, #1119:
URL: https://github.com/apache/tooling-trusted-releases/issues/1119

   **ASVS Level(s):** L1
   
   **Description:**
   
   ### Summary
   The `verify()` function uses PyJWT's `require` option to mandate the 
presence of specific claims but omits `nbf` from the required list. While 
PyJWT's default behavior (`verify_nbf=True`) does verify the `nbf` claim when 
present, it does not enforce that the claim must exist in the token. The 
vulnerability is not practically exploitable because ATR uses HS256 symmetric 
signing with a secret key, and attackers cannot forge valid tokens without the 
signing key. All legitimate ATR-issued tokens include `nbf`. This is a 
defense-in-depth gap rather than an exploitable vulnerability.
   
   ### Details
   In `atr/jwtoken.py` at lines 107-115, the `jwt.decode()` call includes a 
`require` list that does not include "nbf".
   
   ### Recommended Remediation
   Add `"nbf"` to the required claims list in the `jwt.decode()` call:
   
   ```python
   # atr/jwtoken.py, line 113
   claims = jwt.decode(
       token,
       jwt_secret_key,
       algorithms=[_ALGORITHM],
       issuer=_ATR_JWT_ISSUER,
       audience=_ATR_JWT_AUDIENCE,
       options={"require": ["sub", "iss", "aud", "iat", "nbf", "exp", "jti"]},
       #                                            ^^^^ ADDED
   )
   ```
   
   Validation steps:
   1. All existing tests pass (tokens already include `nbf`)
   2. Add negative test: token without `nbf` is rejected
   3. Confirm error message indicates missing required claim
   
   ### Acceptance Criteria
   - [ ] nbf claim added to required list
   - [ ] Tokens without nbf claim are rejected
   - [ ] All existing tests pass
   - [ ] Negative test added for missing nbf
   
   ### References
   - Source reports: L1:9.2.1.md
   - Related findings: None
   - ASVS sections: 9.2.1
   
   ### Priority
   Low
   
   ---


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to