andrewmusselman opened a new issue, #762:
URL: https://github.com/apache/tooling-trusted-releases/issues/762
**ASVS:** 1.2.2, 1.2.5 | **CWE:** CWE-918 (SSRF), CWE-78 | **Severity:**
MEDIUM | **Effort:** Low
### Description
In `atr/tasks/svn.py` (lines ~55–96), the SVN import functionality accepts
user-controlled URLs without scheme validation. SVN supports `file://`,
`svn+ssh://`, and other protocols, so an attacker could use:
- `file:///etc/passwd` — read local files
- `svn+ssh://attacker.com/repo` — arbitrary network connections
- Internal network URLs — SSRF to internal services
The `--` argument separator prevents argument injection but does not prevent
malicious URL schemes.
### Remediation
Add a Pydantic field validator to restrict SVN URLs to `https` scheme only,
and optionally restrict the host to `.apache.org` domains:
```python
@pydantic.field_validator('svn_url')
@classmethod
def validate_svn_url(cls, v: str) -> str:
parsed = urlparse(v)
if parsed.scheme not in {'http', 'https'}:
raise ValueError(f"URL scheme must be http or https")
return v
```
1. Validation is before tasks in the policy doc
* Already tracked in
https://github.com/apache/tooling-trusted-releases/issues/701
* Add to runbook
3. Accept, and remove the CA bypass
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
