https://blog.abhipraya.dev/tags/bandit/Recent content in Bandit on Daffa AbhiprayaHugoen-us© Daffa AbhiprayaMon, 23 Mar 2026 00:00:00 +0700https://blog.abhipraya.dev/ppl/part-b/s2w1-security/Mon, 23 Mar 2026 00:00:00 +0700https://blog.abhipraya.dev/ppl/part-b/s2w1-security/<h2 id="what-i-worked-on"> <a class="anchor" href="#what-i-worked-on" data-anchor="what-i-worked-on" aria-hidden="true">#</a> What I Worked On </h2> <p>This week I addressed a critical security vulnerability flagged by SonarQube and hardened the CI pipeline so security issues block merges instead of being silently reported.</p> <h2 id="the-jwt-vulnerability-sonarqube-s5659"> <a class="anchor" href="#the-jwt-vulnerability-sonarqube-s5659" data-anchor="the-jwt-vulnerability-sonarqube-s5659" aria-hidden="true">#</a> The JWT Vulnerability (SonarQube S5659) </h2> <p>SonarQube flagged <code>dependencies.py:34</code> as a <strong>CRITICAL vulnerability</strong>: <code>jwt.get_unverified_header()</code> reads the JWT header without verifying the signature. This enables the <strong>alg:none attack</strong>, where an attacker crafts a token with <code>&quot;alg&quot;: &quot;none&quot;</code> in the header, causing the library to skip signature verification entirely.</p>