andrewmusselman opened a new issue, #771:
URL: https://github.com/apache/tooling-trusted-releases/issues/771
**Source:** ASVS 2.2.1 Finding HIGH-004
**CWE:** CWE-20 (Improper Input Validation)
**Location:** `atr/tasks/gha.py`, lines 51–67
#### Description
The `arguments` dictionary from workflow configuration is spread directly
into GitHub workflow dispatch inputs using `**args.arguments` without
validating keys or values. An attacker could inject arbitrary workflow input
keys that override security-sensitive values like `atr-id`, `asf-uid`, or
`project`.
#### Affected Code
```python
payload = {
"ref": "main",
"inputs": {
"atr-id": unique_id,
"asf-uid": args.asf_uid,
"project": args.project_name,
**args.arguments, # Unvalidated dict spread — could override keys
above
},
}
```
#### Recommendation
- Take out extra keywords
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
