[Security] Specify the list of accepted algorithms in jwt.decode() calls to mitigate https://nvd.nist.gov/vuln/detail/CVE-2024-33663.

gmarciani · gmarciani · commit 67599f84072a · 2024-07-22T17:38:49.000+02:00
We specify the accepted algorithms to be [RS256] as suggested by Amazon Cognito.
diff --git a/api/PclusterApiHandler.py b/api/PclusterApiHandler.py
@@ -62,8 +62,11 @@
     JWKS_URL = os.getenv("JWKS_URL",
                          f"https://cognito-idp.{REGION}.amazonaws.com/{USER_POOL_ID}/" ".well-known/jwks.json")
 
+
 def jwt_decode(token, audience=None, access_token=None):
-    return jwt.decode(token, requests.get(JWKS_URL).json(), audience=audience, access_token=access_token)
+    return jwt.decode(
+        token, requests.get(JWKS_URL).json(), audience=audience, access_token=access_token, algorithms=["RS256"]
+    )
 
 
 def setup_api_credentials(role_arn, credential_external_id=None):
