andrewmusselman opened a new issue, #685:
URL: https://github.com/apache/tooling-trusted-releases/issues/685
**ASVS Requirements:** V12.2.1, V12.2.2
**CWE:** CWE-319 (Cleartext Transmission of Sensitive Information)
**Severity:** MEDIUM
**File:** `atr/svn/pubsub.py` (lines ~54–58)
### Description
The PubSub listener URL validation accepts both `http://` and `https://`
schemes, despite the error message suggesting HTTPS is expected. Commit
notifications and credentials (used on lines ~69–70) could be transmitted in
cleartext if an HTTP URL is configured.
### Current code
```python
if not self.url.startswith(("http://";, "https://";)):
log.error(
f"Invalid PubSub URL: {self.url!r}. Expected full URL like
'https://pubsub.apache.org:2069'",
)
```
### Recommended fix for when we start to use PubSub
```python
if not self.url.startswith("https://";):
log.error(
f"PubSub URL must use HTTPS: {self.url!r}. Example:
'https://pubsub.apache.org:2069'",
)
log.warning("SVNListener disabled: only HTTPS URLs are permitted")
return
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
