This is an automated email from the ASF dual-hosted git repository. arm pushed a commit to branch arm in repository https://gitbox.apache.org/repos/asf/tooling-trusted-releases.git
commit ff331509fd5f363d790e8c0a18adef256731bfce Author: Alastair McFarlane <[email protected]> AuthorDate: Tue Feb 17 10:10:51 2026 +0000 Reject "dangerous" JWT headers. Closes #673. --- atr/jwtoken.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/atr/jwtoken.py b/atr/jwtoken.py index 61bdf1dd..252c0a7d 100644 --- a/atr/jwtoken.py +++ b/atr/jwtoken.py @@ -105,6 +105,10 @@ def verify(token: str) -> dict[str, Any]: async def verify_github_oidc(token: str) -> dict[str, Any]: + header = jwt.get_unverified_header(token) + dangerous_headers = {"jku", "x5u", "jwk"} + if dangerous_headers.intersection(header.keys()): + raise base.ASFQuartException("JWT contains disallowed headers", errorcode=401) try: async with util.create_secure_session() as session: r = await session.get( --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
