andrewmusselman opened a new issue, #597:
URL: https://github.com/apache/tooling-trusted-releases/issues/597
## Summary
The `/published/<path:path>` endpoint allows any authenticated ASF committer
to browse and download files from the entire downloads directory without
verifying they have access to the specific project's files. The code notes this
is "for debugging" but is deployed with production decorators.
## ASVS Requirements
- 8.2.2 - Verify that data-specific access is restricted to consumers with
explicit permissions (IDOR/BOLA prevention)
## Related Audit Reports
- [8.2.2.md](ASVS/reports/44ee502/L1/8.2.2.md) - ASVS-822-CRIT-001
## Affected Files
- `atr/get/published.py` - `path()` and `_path()` functions (lines 30-55)
## Current Behavior
```python
# atr/get/published.py lines 30-55
@get.committer("/published/<path:path>")
async def path(session: web.Committer, path: str) -> web.QuartResponse:
"""View the content of a specific file in the downloads directory."""
validated_path = form.to_relpath(path)
if validated_path is None:
return quart.abort(400)
return await _path(session, str(validated_path)) # No project
authorization!
```
## Risk
- Any ASF committer can access release files from projects they are not
members of
- Potentially exposes unreleased/draft artifacts before public availability
- Violates principle of least privilege
- Could leak sensitive release preparation details
## Recommended Fix
```python
@get.committer("/published/<path:path>")
async def path(session: web.Committer, path: str) -> web.QuartResponse:
"""View the content of a specific file in the downloads directory."""
validated_path = form.to_relpath(path)
if validated_path is None:
return quart.abort(400)
# Extract project name from path and verify authorization
path_parts = str(validated_path).split('/')
if path_parts:
project_name = path_parts[0]
await session.check_access(project_name) # ADD THIS
return await _path(session, str(validated_path))
```
## Acceptance Criteria
- [ ] Project name extracted from file path
- [ ] `session.check_access(project_name)` called before serving file
- [ ] Non-members receive 403 Forbidden response
- [ ] Test coverage added for authorization checks
- [ ] Consider if this endpoint should be admin-only or removed entirely
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
