oidc/github: make repo comparison insensitive (#15501)

woodruffw · web-flow · commit 6c84303f5d14 · 2024-02-27T17:23:43.000-05:00
This fixes the immediate bug in #15498. Closes #15498. Signed-off-by: William Woodruff <william@trailofbits.com>
diff --git a/tests/unit/oidc/models/test_github.py b/tests/unit/oidc/models/test_github.py
@@ -244,6 +244,27 @@ def test_github_publisher_verifies(self, monkeypatch, environment, missing_claim
             optional_verifiable_claims
         )
 
+    @pytest.mark.parametrize(
+        ("truth", "claim", "valid"),
+        [
+            # invalid: claim should never be empty or missing
+            ("", None, False),
+            ("foo", None, False),
+            ("", "", False),
+            ("foo", "", False),
+            # valid: exact and case-insensitive matches
+            ("foo", "foo", True),
+            ("Foo", "foo", True),
+            ("Foo", "Foo", True),
+            ("foo", "Foo", True),
+            ("FOO", "foo", True),
+            ("foo", "FOO", True),
+        ],
+    )
+    def test_check_repository(self, truth, claim, valid):
+        check = github.GitHubPublisher.__required_verifiable_claims__["repository"]
+        assert check(truth, claim, pretend.stub()) == valid
+
     @pytest.mark.parametrize(
         ("claim", "ref", "sha", "valid", "expected"),
         [
diff --git a/warehouse/oidc/models/github.py b/warehouse/oidc/models/github.py
@@ -27,6 +27,15 @@
 )
 
 
+def _check_repository(ground_truth, signed_claim, all_signed_claims):
+    # Defensive: GitHub should never give us an empty repository claim.
+    if not signed_claim:
+        return False
+
+    # GitHub repository names are case-insensitive.
+    return signed_claim.lower() == ground_truth.lower()
+
+
 def _check_job_workflow_ref(ground_truth, signed_claim, all_signed_claims):
     # We expect a string formatted as follows:
     #   OWNER/REPO/.github/workflows/WORKFLOW.yml@REF
@@ -112,7 +121,7 @@ class GitHubPublisherMixin:
 
     __required_verifiable_claims__: dict[str, CheckClaimCallable[Any]] = {
         "sub": _check_sub,
-        "repository": check_claim_binary(str.__eq__),
+        "repository": _check_repository,
         "repository_owner": check_claim_binary(str.__eq__),
         "repository_owner_id": check_claim_binary(str.__eq__),
         "job_workflow_ref": _check_job_workflow_ref,
