andrewmusselman opened a new issue, #786:
URL: https://github.com/apache/tooling-trusted-releases/issues/786
**ASVS:** 3.5.2 · **CWE:** CWE-346, CWE-352 · **File:**
`atr/blueprints/api.py` (lines 42–45, 84–87)
### Description
The entire API blueprint is CSRF-exempt (`csrf.exempt(_BLUEPRINT)`), relying
on JWT authentication and JSON content-type requirements as compensating
controls. However, there is no explicit `Origin` header validation anywhere in
the application. If CORS is ever misconfigured at the infrastructure layer
(e.g. reverse proxy adds permissive headers), API endpoints would be exposed to
cross-origin abuse.
Adding Origin validation provides defense-in-depth for all CSRF-exempt
routes.
### Recommended fix
```python
ALLOWED_ORIGINS = {'https://releases.apache.org',
'https://release-test.apache.org'}
@_BLUEPRINT.before_request
async def _validate_origin() -> None:
origin = quart.request.headers.get("Origin")
if origin is not None and origin not in ALLOWED_ORIGINS:
raise base.ASFQuartException("Invalid Origin", errorcode=403)
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
