asf-tooling opened a new issue, #963:
URL: https://github.com/apache/tooling-trusted-releases/issues/963
**ASVS Level(s):** [L1]
**Description:**
### Summary
The `release_ready_for_vote()` function validates 9 conditions before
allowing a vote to start (revision matching, committee existence, blocker
checks, file presence, etc.) but does not validate the release phase. This
allows committee members to initiate votes on releases in any phase, including
RELEASE_CANDIDATE (already voted), RELEASE_PREVIEW (being finalized), and
RELEASE (already announced). The function fetches the release without a phase
filter, enabling multiple votes to be initiated on the same release and
breaking the sequential lifecycle requirement.
### Details
**Affected Files and Lines:**
- `atr/db/interaction.py:220-270` - release_ready_for_vote() without phase
validation
- `atr/get/voting.py` - Vote start UI
- `atr/post/voting.py` - Vote start handler
- `atr/get/manual.py` - Manual vote UI
- `atr/post/manual.py` - Manual vote handler
The function performs comprehensive validation but omits the critical phase
check, allowing votes to start from inappropriate lifecycle stages.
### Recommended Remediation
Add phase validation to `release_ready_for_vote()` to enforce that votes can
only start from RELEASE_CANDIDATE_DRAFT phase:
```python
# Add after fetching release
if release.phase != sql.ReleasePhase.RELEASE_CANDIDATE_DRAFT:
return (
False,
f"Cannot start vote: release is in {release.phase.value} phase. "
f"Votes can only be started from RELEASE_CANDIDATE_DRAFT phase."
)
```
Check `release.phase != sql.ReleasePhase.RELEASE_CANDIDATE_DRAFT` and return
an error message if the release is not in the draft phase before proceeding
with other validations.
### Acceptance Criteria
- [ ] Phase validation added to function
- [ ] Only RELEASE_CANDIDATE_DRAFT phase allowed
- [ ] Descriptive error message returned
- [ ] Integration test verifies phase enforcement
- [ ] All vote start paths validated
- [ ] Unit test verifying the fix
### References
- Source reports: L1:2.3.1.md
- Related findings: FINDING-085, FINDING-086
- ASVS sections: 2.3.1
### Priority
High
---
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
