Skip to content

fix(security): resolve code scanning alerts in JWT and checksum handling#309

Merged
BartoszBlizniak merged 4 commits into
masterfrom
fix/security-code-scanning
Jun 10, 2026
Merged

fix(security): resolve code scanning alerts in JWT and checksum handling#309
BartoszBlizniak merged 4 commits into
masterfrom
fix/security-code-scanning

Conversation

@BartoszBlizniak

@BartoszBlizniak BartoszBlizniak commented Jun 10, 2026

Copy link
Copy Markdown
Member

Description

Resolves code scanning alerts:

  • oidc/cache.py: keeps PyJWT's jwt.decode(..., options={"verify_signature": False}) per review, documents why the signature is deliberately not verified (the exp claim is only used for a cache TTL on our own server-issued token, never for authorization), and drops the algorithms list — it has no effect when verification is disabled and was flagged separately by code scanning.
  • utils.py / download.py: marks MD5/SHA1 checksum hashing with usedforsecurity=False — used solely to verify API-provided package checksums, not for cryptography.

Type of Change

  • Bug fix
  • New feature
  • Breaking change
  • Documentation update
  • Refactoring
  • Other (please describe)

Additional Notes

The remaining "Unverified JWT Token Decoding" alert is dismissed as won't fix with justification: the decode is intentional and never feeds an authorization decision. Full pytest green on Python 3.10 and 3.14. Live push/download round-trip exercised the checksum paths. usedforsecurity=False requires Python ≥3.9, below the project's 3.10 floor.

Copilot AI review requested due to automatic review settings June 10, 2026 11:57
@BartoszBlizniak BartoszBlizniak requested a review from a team as a code owner June 10, 2026 11:57

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Resolves security code-scanning findings by clarifying non-cryptographic checksum usage and avoiding unverified JWT decoding while still extracting exp solely for OIDC token cache TTL handling.

Changes:

  • Mark MD5/SHA1 hashing as non-security (usedforsecurity=False) for checksum verification paths.
  • Replace PyJWT-based unverified JWT decoding with a direct base64url payload parse to read exp for cache expiry.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File Description
cloudsmith_cli/core/utils.py Uses hashlib.md5(usedforsecurity=False) when computing file MD5 checksums.
cloudsmith_cli/core/download.py Uses hashlib.sha1(usedforsecurity=False) for SHA1 checksum verification.
cloudsmith_cli/core/credentials/oidc/cache.py Extracts JWT exp by base64url-decoding the payload segment (no signature verification) for cache TTL purposes.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread cloudsmith_cli/core/credentials/oidc/cache.py Outdated
Comment thread cloudsmith_cli/core/credentials/oidc/cache.py

@cloudsmith-iduffy cloudsmith-iduffy left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving for the usedforsecurity=False but the JWT thing should be reverted, best to let a library handle understanding how a JWT is decoded.

Comment thread cloudsmith_cli/core/credentials/oidc/cache.py Outdated
@BartoszBlizniak BartoszBlizniak merged commit 2a30884 into master Jun 10, 2026
70 of 71 checks passed
@BartoszBlizniak BartoszBlizniak deleted the fix/security-code-scanning branch June 10, 2026 15:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

3 participants