andrewmusselman opened a new issue, #600:
URL: https://github.com/apache/tooling-trusted-releases/issues/600
## Summary
Release workflow operations do not consistently validate the current phase
before allowing actions. This allows operations to be performed out of
sequence, potentially bypassing required validation steps.
## ASVS Requirements
- 2.3.1 - Verify that business logic flows are processed in sequence and
cannot be bypassed
## Related Audit Reports
- [2.3.1.md](ASVS/reports/44ee502/L1/2.3.1.md) - Business logic sequence
findings
## Affected Files
- Multiple endpoints in `atr/post/` directory
- `atr/storage/writers/` directory
## Risk
- Release operations performed before required checks complete
- Bypass of mandatory approval workflows
- Inconsistent release state
- Potential for releasing unchecked artifacts
## Recommended Fix
```python
# atr/storage/writers/release.py
from enum import Enum
from typing import Set
class ReleasePhase(Enum):
DRAFT = "draft"
UPLOADED = "uploaded"
CHECKING = "checking"
CHECKED = "checked"
VOTING = "voting"
APPROVED = "approved"
PUBLISHED = "published"
# Define valid phase transitions
VALID_TRANSITIONS: dict[ReleasePhase, Set[ReleasePhase]] = {
ReleasePhase.DRAFT: {ReleasePhase.UPLOADED},
ReleasePhase.UPLOADED: {ReleasePhase.CHECKING},
ReleasePhase.CHECKING: {ReleasePhase.CHECKED},
ReleasePhase.CHECKED: {ReleasePhase.VOTING},
ReleasePhase.VOTING: {ReleasePhase.APPROVED, ReleasePhase.DRAFT}, # Can
reject
ReleasePhase.APPROVED: {ReleasePhase.PUBLISHED},
}
async def transition_phase(self, release_id: int, to_phase: ReleasePhase) ->
None:
"""Transition release to new phase with validation."""
release = await self._get_release(release_id)
current_phase = ReleasePhase(release.phase)
if to_phase not in VALID_TRANSITIONS.get(current_phase, set()):
raise ValueError(
f"Invalid phase transition: {current_phase.value} ->
{to_phase.value}"
)
release.phase = to_phase.value
await self._save_release(release)
```
## Acceptance Criteria
- [ ] Release phase enum defined with all valid states
- [ ] Valid phase transitions explicitly defined
- [ ] Phase validation performed before all state-changing operations
- [ ] Invalid transitions return clear error messages
- [ ] Audit logging of phase transitions
- [ ] Test coverage for valid and invalid transitions
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
