andrewmusselman opened a new issue, #782:
URL: https://github.com/apache/tooling-trusted-releases/issues/782
**ASVS:** 3.5.3 · **CWE:** CWE-352, CWE-650 · **File:**
`atr/admin/__init__.py` (lines 594–617)
### Description
The `/admin/test` endpoint performs a database write operation
(`wacm.keys.ensure_stored()`) via HTTP GET. Because GET requests are considered
"safe" by browsers, they can be triggered by `<img>` tags, link prefetching, or
other passive loads on a malicious page. An attacker who can lure an
authenticated admin to a crafted page could silently trigger the write
operation.
### Vulnerable code
```python
@admin.get("/test")
async def test(session: web.Committer) -> web.QuartResponse:
async with storage.write(session) as write:
wacm = write.as_committee_member("tooling")
outcomes = await wacm.keys.ensure_stored(keys_file_text) # state
change on GET
```
### Recommended fix
Change to POST and require a CSRF token:
```python
@admin.post("/test")
@admin.form(EmptyForm)
async def test(session: web.Committer) -> web.QuartResponse:
...
```
Actually just remove this function
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
