andrewmusselman opened a new issue, #774:
URL: https://github.com/apache/tooling-trusted-releases/issues/774
**Source:** ASVS 2.2.1 Finding MEDIUM-002, ASVS 2.2.2 Finding 8
**CWE:** CWE-20 (Improper Input Validation)
**Locations:**
- `atr/mail.py`, lines 52–54
- `atr/tasks/message.py`, lines 38–53
#### Description
Email validation is inconsistent. In `mail.py`, validation checks only the
domain suffix. In `tasks/message.py`, it only checks for `@` presence. There is
also a logic bug where `sending_to_self` compares a domain to a full email
address, causing the check to always fail:
```python
recipient_domain = args.email_recipient.split("@")[-1]
sending_to_self = recipient_domain == f"{sender_asf_uid}@apache.org" # Bug:
domain vs full address
```
Additionally, the `LdapLookupForm` uses `str` instead of `form.Email`
(Pydantic `EmailStr`) for its email field.
#### Recommendation
- Use Pydantic `EmailStr` consistently across all email fields
- Fix the `sending_to_self` comparison bug
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
