andrewmusselman opened a new issue, #784:
URL: https://github.com/apache/tooling-trusted-releases/issues/784
**ASVS:** 3.5.3 · **CWE:** CWE-352, CWE-650 · **File:** `atr/get/test.py`
(lines 36–47)
### Description
When `ALLOW_TESTS` is enabled, the `/test/login` endpoint creates a session
cookie via GET. This can be triggered by image tags or link prefetch,
potentially hijacking sessions or providing unauthorized access. While gated
behind a config flag, it's still a state-changing operation on a safe method.
### Vulnerable code
```python
@get.public("/test/login")
async def test_login(session: web.Committer | None) -> web.WerkzeugResponse:
if not config.get().ALLOW_TESTS:
raise base.ASFQuartException("Test login not enabled", errorcode=404)
session_data = atr.models.session.CookieData(uid="test", ...)
util.write_quart_session_cookie(session_data) # session write on GET
```
### Recommended fix
- Add comment about this in the runbook
- Change error message to say vanilla 404 "Not Found"
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
