andrewmusselman opened a new issue, #682:
URL: https://github.com/apache/tooling-trusted-releases/issues/682
**ASVS Requirement:** 13.4.1 — Verify that source control metadata is
excluded from deployment or made inaccessible.
**Audit Finding:** 2.4 — Path Validation Does Not Explicitly Block SCM Paths
**Severity:** LOW
**CWE:** CWE-538 (Insertion of Sensitive Information into
Externally-Accessible File or Directory)
**Description:**
The path validation function `_validate_relpath_string` in `atr/form.py`
prevents path traversal (`..`) but does not explicitly reject paths containing
`.git`, `.svn`, or other SCM directory components. While the dotfiles check in
`atr/tasks/checks/paths.py` catches these during release checks and the
dot-prefix prevention in `atr/storage/writers/release.py` blocks directory
creation, adding validation at the path parsing layer strengthens
defense-in-depth.
**Evidence:**
```python
# atr/form.py - Path validation
for part in posix_path.parts:
if part == "..":
raise ValueError("Parent directory references (..) are not allowed")
if part == ".":
raise ValueError("Self directory references (.) are not allowed")
# MISSING: No check for ".git", ".svn"
```
**Suggested implementation:**
Investigate whether this is very low effort, only if so make the change.
```python
_SCM_DIRECTORIES = frozenset({'.git', '.svn', '.hg', '.bzr', '.cvs'})
for part in posix_path.parts:
if part.lower() in _SCM_DIRECTORIES:
raise ValueError(f"Access to source control directories ({part}) is
not allowed")
```
**Location:** `atr/form.py`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
