andrewmusselman opened a new issue, #672: URL: https://github.com/apache/tooling-trusted-releases/issues/672
**ASVS Requirements:** 9.1.3 (Finding-02), 9.2.1 (Finding-04) **Severity:** Low **CWE:** CWE-347 (Improper Verification of Cryptographic Signature) ### Description `atr/jwtoken.py:79-88` exposes a public function `unverified_header_and_payload()` that decodes JWTs without verifying the signature or any time-validity claims (`exp`, `nbf`). While the function is not currently used in security-critical code paths, its existence as a public API member creates risk that future code could mistakenly rely on its output for authorization decisions. ### Recommended fix 1. Rename to `_unverified_header_and_payload` (underscore prefix) to signal internal use. 2. Add a docstring warning that the returned payload must never be used for authorization. 3. Consider adding a log statement when the function is called in production to aid in auditing. 4. Document in a new policy ### Relevant code `atr/jwtoken.py` — `unverified_header_and_payload()`. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
