[I] User Identity Trust Boundary in Background Tasks (tooling-trusted-releases)

Tue, 24 Feb 2026 19:56:10 -0800 


andrewmusselman opened a new issue, #760:
URL: https://github.com/apache/tooling-trusted-releases/issues/760

   | Attribute | Value |
   |-----------|-------|
   | **Severity** | Low |
   | **Location** | `atr/tasks/vote.py`, `atr/tasks/gha.py`, 
`atr/tasks/message.py`, `atr/storage/__init__.py:238-271` |
   | **CWE** | CWE-285 (Improper Authorization) |
   
   **Description:**
   Background task handlers and storage context managers accept user identity 
(e.g., `asf_uid`, `initiator_id`) as parameters without re-verification against 
any session:
   
   **Task Parameters:**
   ```python
   # atr/tasks/vote.py
   class Initiate(schema.Strict):
       initiator_id: str = schema.description("ASF ID of the vote initiator")
       
   # atr/tasks/gha.py  
   class DistributionWorkflow(schema.Strict):
       asf_uid: str = schema.description("ASF UID of the user triggering the 
workflow")
   ```
   
   **Storage Context Managers:**
   ```python
   # atr/storage/__init__.py
   async def write(asf_uid: principal.UID = principal.ArgumentNone):
       if asf_uid is principal.ArgumentNone:
           authorisation = await principal.Authorisation()
       else:
           authorisation = await principal.Authorisation(asf_uid)  # Direct UID 
usage
   ```
   
   **Impact:** The security model relies entirely on calling code to properly 
authenticate users. If a task can be invoked through any path that doesn't 
validate the session first, user identity could be spoofed.
   
   **Recommendation:**
   1. Document this trust boundary explicitly as internal-only API (@sbp 
document with code comments and/or in runbook?)
   2. Ensure all external call sites use `principal.ArgumentNone` to force 
session-based authentication
   3. Consider adding signed claims to task arguments for verification
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to