Skip to content

Replace assert with explicit error handling in OAuth callback (a.k.a. document no -O flag usage) #680

New issue
New issue
Open
Open
Replace assert with explicit error handling in OAuth callback (a.k.a. document no -O flag usage)#680
Assignees
andrewmusselman
Labels
ASVSAnything related to ASVS requirementsL1ASVS L1 requirementdocumentationImprovements or additions to documentationsecurityIssues related to security posture
@andrewmusselman

Description

@andrewmusselman
andrewmusselman
opened on Feb 17, 2026

Source: V10.4.2 audit — Observation 2

Description

In src/asfquart/generics.py (line ~69), the OAuth token exchange uses a Python assert statement to verify the response from the authorization server:

assert rv.status == 200, "Could not verify oauth response."

assert statements are stripped when Python is run with the -O (optimize) flag. If the application were ever started with optimization enabled, this check would be silently skipped, potentially allowing the OAuth flow to proceed with a failed or malicious token exchange response.

Recommendation

  1. Document we cannot run with -O flag

Or replace with explicit exception handling:

if rv.status != 200:
    return quart.Response(status=403, response="OAuth authentication failed.")

Severity

Low — requires the unlikely condition of running with -O, but violates defense-in-depth principles for an authentication-critical code path.

Metadata

Metadata

Assignees

Labels

ASVSAnything related to ASVS requirementsL1ASVS L1 requirementdocumentationImprovements or additions to documentationsecurityIssues related to security posture

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions