Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 7 additions & 6 deletions cloudsmith_cli/core/credentials/oidc/cache.py
Original file line number Diff line number Diff line change
Expand Up @@ -41,15 +41,16 @@ def _cache_key(api_host: str, org: str, service_slug: str) -> str:


def _decode_jwt_exp(token: str) -> float | None:
"""Decode the exp claim from a JWT without verification."""
"""Read the exp claim from a JWT payload.

The token is only inspected to determine a cache TTL; it is never used to
make an authorization decision, so the signature is deliberately not
verified (the API rejects tampered tokens regardless).
"""
Comment thread
BartoszBlizniak marked this conversation as resolved.
try:
import jwt

payload = jwt.decode(
token,
options={"verify_signature": False},
algorithms=["RS256", "ES256", "HS256"],
)
payload = jwt.decode(token, options={"verify_signature": False})
exp = payload.get("exp")
if exp is not None:
return float(exp)
Expand Down
2 changes: 1 addition & 1 deletion cloudsmith_cli/core/download.py
Original file line number Diff line number Diff line change
Expand Up @@ -583,7 +583,7 @@ def _verify_checksum(filepath: str, expected: str) -> bool:

# Try SHA1
if len(expected) == 40:
sha1_hash = hashlib.sha1()
sha1_hash = hashlib.sha1(usedforsecurity=False)
with open(filepath, "rb") as f:
for chunk in iter(lambda: f.read(4096), b""):
sha1_hash.update(chunk)
Expand Down
2 changes: 1 addition & 1 deletion cloudsmith_cli/core/utils.py
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ def read_file(*path):

def calculate_file_md5(filepath, blocksize=2**20):
"""Calculate an MD5 hash for a file."""
checksum = hashlib.md5()
checksum = hashlib.md5(usedforsecurity=False)

with click.open_file(filepath, "rb") as f:

Expand Down
Loading