andrewmusselman opened a new issue, #662:
URL: https://github.com/apache/tooling-trusted-releases/issues/662
**Audit refs:** 8.1.1 HIGH-06
#### Description
`atr/tasks/svn.py:59-67` — the SVN import task accepts arbitrary URLs from
user input without validating them against an allowlist of permitted Apache
repositories. The command also trusts invalid TLS certificates.
```python
svn_command = [
"svn", "export", "--non-interactive",
"--trust-server-cert-failures", "unknown-ca,cn-mismatch", # Trusts
invalid certs
"-r", args.revision, # Unvalidated
"--", args.svn_url, # Unvalidated — could be any URL
]
```
#### Recommended fix
1. Document that all domains are properly checked
2. Ensure `atr/docs` is read during audit
**CWE:** CWE-918 (SSRF) | **CVSS:** 7.5+
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
