Skip to content

[security] SDK hardening: distinct unverified status, payload binding#55

Merged
beonde merged 2 commits into
mainfrom
security/sec-sdk-hardening
Apr 23, 2026
Merged

[security] SDK hardening: distinct unverified status, payload binding#55
beonde merged 2 commits into
mainfrom
security/sec-sdk-hardening

Conversation

@beonde

@beonde beonde commented Apr 22, 2026

Copy link
Copy Markdown
Member

Security Audit Remediation — SDK Python Hardening

Changes

Task Severity Description
SEC-SDK-002 Medium Minor breaking: When no public key is provided, validate_signature now returns success=False with code UNVERIFIED_FORMAT_OK (score 50) instead of success=True (score 70). Callers that pattern-matched on success for format-only validation should check for the UNVERIFIED_FORMAT_OK issue code.
SEC-SDK-003 Medium After JWS verification succeeds, the decoded payload is compared against the caller-supplied payload using canonical JSON. Mismatches return PAYLOAD_MISMATCH error.

Breaking Changes

  • SEC-SDK-002: validate_signature() without a public key previously returned success=True. Now returns success=False with a WARNING issue code UNVERIFIED_FORMAT_OK.

@beonde
[security] SDK Python hardening: distinct unverified status, payload …
884a237 
…binding

SEC-SDK-002: Return UNVERIFIED_FORMAT_OK (score 50, success=false) instead of success when no public key provided
SEC-SDK-003: After JWS verification, compare decoded payload to caller-supplied payload via canonical JSON
Copilot AI review requested due to automatic review settings April 22, 2026 20:58
@github-actions

github-actions Bot commented Apr 22, 2026

Copy link
Copy Markdown

✅ Documentation validation passed!

Unified docs will be deployed from capiscio-docs repo.

@github-actions

github-actions Bot commented Apr 22, 2026

Copy link
Copy Markdown

✅ All checks passed! Ready for review.

@codecov

codecov Bot commented Apr 22, 2026
edited
Loading

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 16.66667% with 5 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
capiscio_sdk/validators/signature.py 16.66% 5 Missing ⚠️

📢 Thoughts on this report? Let us know!

Copilot AI reviewed Apr 22, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the legacy Python SignatureValidator by (1) distinguishing “format-only / unverified” signatures from cryptographically verified signatures and (2) binding a verified JWS to the caller-supplied payload to prevent payload substitution.

Changes:

  • Change the no-public-key path to emit UNVERIFIED_FORMAT_OK and return success=False with a reduced score (format-only validation no longer counts as success).
  • After successful JWS verification, compare decoded payload vs the supplied payload and emit PAYLOAD_MISMATCH on mismatch.

Comment thread capiscio_sdk/validators/signature.py
Comment on lines +175 to 179
code="UNVERIFIED_FORMAT_OK",
message="Signature format valid but cryptographic verification not performed (no public key provided)",
path="signatures",
)
)
Comment thread capiscio_sdk/validators/signature.py
Comment on lines +175 to 179
code="UNVERIFIED_FORMAT_OK",
message="Signature format valid but cryptographic verification not performed (no public key provided)",
path="signatures",
)
)
Comment thread capiscio_sdk/validators/signature.py Outdated
Comment on lines +113 to +117
if caller_json != decoded_json:
issues.append(
ValidationIssue(
severity=ValidationSeverity.ERROR,
code="PAYLOAD_MISMATCH",
Comment thread capiscio_sdk/validators/signature.py
Comment on lines +176 to +180
message="Signature format valid but cryptographic verification not performed (no public key provided)",
path="signatures",
)
)
score = 70 # Format is OK but not verified
score = 50 # Format-only: below success threshold
Comment thread capiscio_sdk/validators/signature.py Outdated
Comment on lines +109 to +113
# Bind: compare decoded payload against caller-supplied payload
# Use canonical JSON comparison to avoid ordering issues
caller_json = json.dumps(payload, sort_keys=True, separators=(',', ':'))
decoded_json = json.dumps(decoded, sort_keys=True, separators=(',', ':'))
if caller_json != decoded_json:
@beonde
fix: use structural comparison for payload binding, remove unused jso…
3cecdb9 
…n import

- Replace JSON canonical comparison with direct dict equality (simpler, correct)
- Remove unused json import
@github-actions

github-actions Bot commented Apr 23, 2026

Copy link
Copy Markdown

✅ Documentation validation passed!

Unified docs will be deployed from capiscio-docs repo.

@github-actions

github-actions Bot commented Apr 23, 2026

Copy link
Copy Markdown

✅ All checks passed! Ready for review.

@beonde beonde merged commit b4982e6 into main Apr 23, 2026
10 of 13 checks passed
@beonde beonde deleted the security/sec-sdk-hardening branch April 23, 2026 02:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@beonde