asf-tooling opened a new issue, #961:
URL: https://github.com/apache/tooling-trusted-releases/issues/961
**ASVS Level(s):** [L1]
**Description:**
### Summary
The web form path for editing trusted publishing configuration does not call
the existing validation function `_normalise_trusted_publishing_update()`,
while the API path does. This creates an inconsistency where invalid
configurations can be saved via the web interface but would be rejected via the
API. Specifically, workflow paths not starting with '.github/workflows/' could
weaken trusted publisher verification, and repository names with slashes could
cause path traversal issues in URL construction. The form-based endpoint
bypasses critical business validation that is correctly applied to the API
endpoint.
### Details
**Affected Files and Lines:**
- `atr/storage/writers/policy.py:178-188` - API path with validation
- `atr/storage/writers/policy.py:267-284` - Web form path without validation
- `atr/shared/projects.py:multiple` - Validation function
The API endpoint correctly applies cross-field validation, but the web form
endpoint directly assigns form values without validation, creating a security
bypass.
### Recommended Remediation
Call the existing `_normalise_trusted_publishing_update()` function in
`edit_trusted_publishing()` to apply the same cross-field validation as the API
path:
```python
# In edit_trusted_publishing()
values = {
'repository': form_data.get('repository'),
'workflow_path': form_data.get('workflow_path'),
# ... other fields
}
# Apply validation
normalized_values = _normalise_trusted_publishing_update(values)
# Use normalized values
release_policy.repository = normalized_values['repository']
release_policy.workflow_path = normalized_values['workflow_path']
```
Apply the validation function in `edit_trusted_publishing()` before
assigning form values to the release_policy object, matching the pattern used
in `edit_policy()`.
### Acceptance Criteria
- [ ] Validation function called before form processing
- [ ] Workflow path validation enforced
- [ ] Repository name validation enforced
- [ ] Web form behavior matches API behavior
- [ ] Integration test verifies validation enforcement
- [ ] Unit test verifying the fix
### References
- Source reports: L1:2.1.1.md, L1:2.2.1.md
- Related findings: FINDING-022, FINDING-089
- ASVS sections: 2.1.1, 2.2.1
### Priority
High
---
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
