andrewmusselman opened a new issue, #711:
URL: https://github.com/apache/tooling-trusted-releases/issues/711
**ASVS Requirement:** 4.1.1 — Verify that every HTTP response with a message
body contains a Content-Type header field that matches the actual content,
including the charset parameter
**Severity:** Medium
**CWE:** CWE-436 (Interpretation Conflict)
### Description
The `/result/data/<project_name>/<version_name>/<int:check_id>` endpoint in
`atr/get/result.py` (lines 30–39) returns JSON-serialized content using
`web.TextResponse`, which sets a `text/plain` Content-Type. The actual content
is JSON (confirmed by the docstring "Show a check result as formatted JSON" and
the use of `json.dumps()`).
This violates ASVS 4.1.1 because the Content-Type does not match the actual
content of the response.
### Current Code
```python
@get.committer("/result/data/<project_name>/<version_name>/<int:check_id>")
async def data(
session: web.Committer,
project_name: str,
version_name: str,
check_id: int,
) -> web.TextResponse:
"""Show a check result as formatted JSON."""
payload = check_result.model_dump(mode="json", exclude={"release"})
body = json.dumps(payload, indent=2, sort_keys=True)
return web.TextResponse(f"{body}\n")
```
### Impact
- Browsers and HTTP clients may not parse the response as JSON, leading to
interpretation conflicts.
- API consumers relying on Content-Type for response handling will
misidentify this as plain text.
### Recommended Fix
Add an `audit_guidance` comment explaining this is done on purpose for
presentation in the browser
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
