You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This commit includes the bare minimum implementation to issue a JWT
per task execution. There is room for improvement like the bound claims
should be reviewed or the subject in the token. (does it make sense
to use "task:%d"? Is that a unique value over all projects?)
Outcome: No medium, high, or critical vulnerabilities identified in the added/modified code.
Reviewed the JWT issuance flow end-to-end: template jwt_params validation, signer initialization/key storage, runner job delivery, local task execution (SEMAPHORE_JWT), and the public JWKS endpoint. Prior automation threads were not present on this PR.
Areas reviewed
Authn/authz: JWTs are minted only when the global signer is initialized (jwt_enabled) and the template has jwt_params.enabled. Runners still require X-Runner-Token; template changes require CanManageProjectResources. No unauthenticated minting path found.
Input validation: TTL is bounded at save time (TemplateJWTParams.Validate) and again at sign time (Signer.Sign clamps to MaxTTL). Audience size is capped (32 entries).
Key handling: Signing key is persisted via existing AccessKeyEncryption machinery (same pattern as access keys). JWKS exposes only the public key, gated on jwt_enabled.
Dependencies:go-jose/v4 is pinned to v4.1.4 (includes the JWE panic fix); this PR uses JWS signing only, not JWE decryption of untrusted input.
Secret delivery: JWT is delivered to runners/tasks alongside existing job secrets; no new unauthenticated exposure beyond the established runner API contract.
Residual notes (not reported as findings)
These are operational/design considerations rather than exploitable defects in this diff:
Project managers can configure JWT aud values for their templates; downstream services must enforce their own authorization (e.g., validate aud, iss, and scope claims such as project_id).
When access_key_encryption is unset, the signing key is stored with the same base64-only encoding used for other secrets — DB/admin access remains the control, consistent with pre-existing behavior.
The reason will be displayed to describe this comment to others. Learn more.
Keep CreateTaskPool call sites compiling
Adding this required parameter leaves existing call sites unupdated: services/tasks/TaskRunner_test.go and api/cluster_test.go still call CreateTaskPool with seven arguments. Those packages will fail to compile under go test before any tests run, so either update the callers to pass the signer or avoid making the constructor signature incompatible.
The reason will be displayed to describe this comment to others. Learn more.
Widen option storage before saving signing keys
When JWT is enabled on SQL-backed installs, this persists the generated PEM through the existing option.value column, which is defined as varchar(255) in the SQL migrations. Even an unencrypted base64-encoded P-256 private-key PEM is over 300 bytes, and AES-GCM adds more, so first startup with JWT enabled will fail or store a truncated key on MySQL/Postgres; the key needs a larger column or a different storage path before calling SetOption here.
The reason will be displayed to describe this comment to others. Learn more.
Document JWT config under the actual jwt object
These schema properties are top-level jwt_enabled/jwt_issuer keys, but the new config field is JWT *JWTConfig with JSON name jwt, so the runtime expects jwt: { enabled, issuer, default_ttl, max_ttl }. Users following this schema can create a validating config that is silently ignored by ConfigInit, leaving JWT disabled and the UI hidden.
Outcome: No medium, high, or critical vulnerabilities identified in the added/modified code.
Re-reviewed the synchronized PR diff end-to-end and validated prior automation findings; no unresolved security threads remain.
Areas reviewed
Authn/authz: JWTs are minted only when the global signer is initialized (jwt.enabled) and a template has jwt_params.enabled. Runners still require X-Runner-Token; template changes require CanManageProjectResources. No unauthenticated minting path found.
Input validation: TTL is bounded at save time (TemplateJWTParams.Validate) and again at sign time (Signer.Sign clamps to MaxTTL). Audience size is capped (32 entries).
Key handling: Signing key is persisted via existing AccessKeyEncryption machinery. JWKS exposes only the public key, gated on jwt.enabled.
Dependencies:go-jose/v4 v4.1.4 is used for JWS signing only; no untrusted JWE/JWS verification path was added.
Secret delivery: JWT is delivered to runners/tasks alongside existing job secrets under the established runner API contract.
Residual notes (not reported as findings)
Project managers can configure JWT aud values for their templates; downstream services must enforce their own authorization (validate aud, iss, and scope claims such as project_id).
When access_key_encryption is unset, the signing key uses the same base64-only encoding as other secrets — DB/admin access remains the control, consistent with pre-existing behavior.
The option.valuevarchar(255) column may be too small for the encrypted signing key on SQL backends; this is a reliability/deployment concern, not an attacker-controlled exploit path.
No inline finding comments were added.
Slack summary: PR #3978 security review complete — no medium/high/critical vulnerabilities found. JWT issuance, key storage, runner delivery, and JWKS endpoint were reviewed; controls (runner auth, template validation, TTL clamping, encrypted key storage) appear sufficient. Residual risk is operational: downstream services must validate JWT claims, and SQL option column sizing may block key persistence.
Outcome: No medium, high, or critical vulnerabilities identified in the added/modified code.
Re-reviewed the synchronized PR diff end-to-end and validated prior automation assessments; no unresolved Cursor security finding threads remain.
Areas reviewed
Authn/authz: JWTs are minted only when the global signer is initialized (jwt.enabled) and a template has jwt_params.enabled. Runners still require X-Runner-Token; template changes require CanManageProjectResources. No unauthenticated minting path found.
Input validation: TTL is bounded at save time (TemplateJWTParams.Validate) and again at sign time (Signer.Sign clamps to MaxTTL). Audience size is capped (32 entries).
Key handling: Signing key is persisted via existing AccessKeyEncryption machinery. JWKS exposes only the public key, gated on jwt.enabled.
Dependencies:go-jose/v4 v4.1.4 is used for JWS signing only; no untrusted JWE/JWS verification path was added.
Secret delivery: JWT is delivered to runners/tasks alongside existing job secrets under the established runner API contract.
Residual notes (not reported as findings)
Project managers can configure JWT aud values for their templates; downstream services must enforce their own authorization (validate aud, iss, and scope claims such as project_id).
When access_key_encryption is unset, the signing key uses the same base64-only encoding as other secrets — DB/admin access remains the control, consistent with pre-existing behavior.
No inline finding comments were added.
Slack summary: PR #3978 security review complete — no medium/high/critical vulnerabilities found. JWT issuance, key storage, runner delivery, and JWKS endpoint were reviewed; controls (runner auth, template validation, TTL clamping, encrypted key storage) appear sufficient. Residual risk is operational: downstream services must validate JWT claims.
Sent by Cursor Automation: Find vulnerabilities
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
No description provided.