(tooling-trusted-releases) branch main updated: Forbid mutating navigations to the API and all mutating cross-site requests

Tue, 03 Mar 2026 07:47:50 -0800 

This is an automated email from the ASF dual-hosted git repository.

sbp pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tooling-trusted-releases.git


The following commit(s) were added to refs/heads/main by this push:
     new cce31032 Forbid mutating navigations to the API and all mutating 
cross-site requests
cce31032 is described below

commit cce310329d0ac9061c418efccf7fc578ce584ba4
Author: Dave Fisher <[email protected]>
AuthorDate: Tue Mar 3 07:47:35 2026 -0800

    Forbid mutating navigations to the API and all mutating cross-site requests
    
    * Validate sec-fetch headers
    
    * Update sec-fetch checks
    
    * Something broke in integration tests
    
    * Put back to double check
    
    * Change restrictions
    
    ---------
    
    Co-authored-by: Sean B. Palmer <[email protected]>
---
 atr/server.py | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/atr/server.py b/atr/server.py
index da736e3b..bcb45517 100644
--- a/atr/server.py
+++ b/atr/server.py
@@ -525,6 +525,23 @@ def _app_setup_security_headers(app: base.QuartApp) -> 
None:
         ]
     )
 
+    @app.before_request
+    async def validate_sec_fetch_headers() -> None:
+        if quart.request.method not in ("GET", "HEAD", "OPTIONS"):
+            sec_fetch_mode = quart.request.headers.get("Sec-Fetch-Mode")
+            sec_fetch_site = quart.request.headers.get("Sec-Fetch-Site")
+
+            # Apart from PAT hashes and PII, all data in ATR is public
+            # Therefore we are only concerned here with non-GET API requests
+            if (sec_fetch_mode == "navigate") and 
quart.request.path.startswith("/api/"):
+                raise base.ASFQuartException(
+                    "Forbidden: non-GET/HEAD/OPTIONS browser navigation to API 
endpoint", errorcode=403
+                )
+
+            # This is in addition to our existing CSRF protection
+            if sec_fetch_site == "cross-site":
+                raise base.ASFQuartException("Forbidden: cross-site 
non-GET/HEAD/OPTIONS request", errorcode=403)
+
     # X-Content-Type-Options: nosniff is required by ASVS v5 3.4.4 (L2)
     # A strict Referrer-Policy is required by ASVS v5 3.4.5 (L2)
     # HSTS is required by ASVS v5 9.2.1 (L1)


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to