andrewmusselman opened a new issue, #719: URL: https://github.com/apache/tooling-trusted-releases/issues/719
**ASVS Requirement:** 5.3.2 — Verify that user-submitted filenames/paths are protected against path traversal, LFI, RFI, and SSRF. **Description:** Functions in `atr/attestable.py` (lines 37-48) construct file paths by directly joining user-controllable parameters (`project_name`, `version_name`, `revision_number`) without validation against path traversal sequences. These paths are used in file write operations (`.json` attestation files). **Affected functions:** - `attestable_path()` - `attestable_paths_path()` - `github_tp_payload_path()` **Attack vector:** A value like `../../etc` for any parameter could escape the intended `attestable/` directory structure during writes. **CWE:** CWE-22 (Path Traversal) **Recommended remediation:** Add a shared path component validator that rejects `..`, `/`, `\`, and `\x00` in all three parameters, and apply it in each function before constructing the path. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
