andrewmusselman opened a new issue, #726:
URL: https://github.com/apache/tooling-trusted-releases/issues/726
**ASVS References:** 6.3.2 (Finding 1), 6.1.1 (Finding 06), 6.3.1 (Finding
LOW-002)
### Description
When `ALLOW_TESTS=true`, significant security controls are bypassed:
1. **A hardcoded "test" user gains full admin privileges** — unauthenticated
users can visit `/test/login` to receive an admin session (`is_admin("test")`
returns `True`)
2. **Rate limiting is completely disabled** — all `quart_rate_limiter`
protections are skipped
3. **All authenticated users receive membership in the "test" committee**
4. **A test committee is created with the "test" user as sole
member/committer/release manager**
There is no runtime validation to prevent this configuration in production.
### Attack Path
1. `ALLOW_TESTS=true` in production (misconfiguration)
2. Attacker visits `/test/login`
3. Attacker receives valid session cookie for user "test"
4. `is_admin("test")` returns `True`
5. Full administrative access achieved — with rate limiting disabled
### Recommendation
Add a host name check for debug mode and ensure the server does not start if
so
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
