fix(security): resolve code scanning alerts in JWT and checksum handling#309
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Resolves security code-scanning findings by clarifying non-cryptographic checksum usage and avoiding unverified JWT decoding while still extracting exp solely for OIDC token cache TTL handling.
Changes:
- Mark MD5/SHA1 hashing as non-security (
usedforsecurity=False) for checksum verification paths. - Replace
PyJWT-based unverified JWT decoding with a direct base64url payload parse to readexpfor cache expiry.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
cloudsmith_cli/core/utils.py |
Uses hashlib.md5(usedforsecurity=False) when computing file MD5 checksums. |
cloudsmith_cli/core/download.py |
Uses hashlib.sha1(usedforsecurity=False) for SHA1 checksum verification. |
cloudsmith_cli/core/credentials/oidc/cache.py |
Extracts JWT exp by base64url-decoding the payload segment (no signature verification) for cache TTL purposes. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
cloudsmith-iduffy
approved these changes
Jun 10, 2026
cloudsmith-iduffy
left a comment
Contributor
There was a problem hiding this comment.
Approving for the usedforsecurity=False but the JWT thing should be reverted, best to let a library handle understanding how a JWT is decoded.
6 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Resolves code scanning alerts:
oidc/cache.py: keeps PyJWT'sjwt.decode(..., options={"verify_signature": False})per review, documents why the signature is deliberately not verified (theexpclaim is only used for a cache TTL on our own server-issued token, never for authorization), and drops thealgorithmslist — it has no effect when verification is disabled and was flagged separately by code scanning.utils.py/download.py: marks MD5/SHA1 checksum hashing withusedforsecurity=False— used solely to verify API-provided package checksums, not for cryptography.Type of Change
Additional Notes
The remaining "Unverified JWT Token Decoding" alert is dismissed as won't fix with justification: the decode is intentional and never feeds an authorization decision. Full pytest green on Python 3.10 and 3.14. Live push/download round-trip exercised the checksum paths.
usedforsecurity=Falserequires Python ≥3.9, below the project's 3.10 floor.