Abhishekmishra2808 commented on issue #548: URL: https://github.com/apache/tooling-trusted-releases/issues/548#issuecomment-3806870232
Hi @sbp and @dave2wave, I have opened a Pull Request to address this issue. As discussed, I have moved away from implicit system defaults for HTTP sessions to an explicit, hardened configuration. **Key highlights of the fix:** * **Centralized Logic**: Created a secure session factory in `atr/util.py` now used by 15 call sites across the project. * **Hardened TLS**: Explicitly enforced **TLS >= 1.2** by setting `minimum_version = ssl.TLSVersion.TLSv1_2`. * **ASVS Compliance**: Mandated `CERT_REQUIRED` and enabled `check_hostname` to satisfy ASVS 9.1.1 and 9.1.2. * **Automated Testing**: Added a new test suite (`tests/test_util_security.py`) with 11 unit tests to verify the SSL context configuration. I've verified that `ruff` and my new security tests pass. I did note some pre-existing environment issues with Playwright and the Yarn GPG key in the Codespace, but these are unrelated to the core ATR logic refactored here. Looking forward to your feedback! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
