andrewmusselman opened a new issue, #673:
URL: https://github.com/apache/tooling-trusted-releases/issues/673
**ASVS Requirement:** 9.1.3 — Token Source and Integrity
**Severity:** Informational (defense-in-depth)
### Description
ASVS 9.1.3 specifically requires that JWT headers such as `jku`, `x5u`, and
`jwk` are validated against an allowlist. PyJWT's default behavior already
ignores these headers for key selection, so there is no current exploitable
vulnerability. However, explicitly rejecting tokens that contain these headers
would provide defense in depth against future library behavior changes or
misconfigurations.
### Recommended fix
Before verifying GitHub OIDC tokens, inspect the unverified header and
reject the token if any of `jku`, `x5u`, or `jwk` are present:
```python
header = jwt.get_unverified_header(token)
dangerous_headers = {'jku', 'x5u', 'jwk'}
if dangerous_headers.intersection(header.keys()):
raise base.ASFQuartException("JWT contains disallowed headers",
errorcode=401)
```
1. Check what PyJWT does with extra headers
2. Block the headers
### Relevant code
`atr/jwtoken.py` — `verify_github_oidc()`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
