asf-tooling opened a new issue, #968:
URL: https://github.com/apache/tooling-trusted-releases/issues/968
**ASVS Level(s):** [L2-only]
**Description:**
### Summary
The `stage` endpoint accepts authentication and authorization parameters
(`_session`, `_project_key`, `_version_key`) but does not use them to verify
that the authenticated user has permission to upload to the specified project
or that the `upload_session` token belongs to that user. The underscore prefix
on these parameters indicates they are validated for format but not used within
the function body. This creates an authorization bypass where any authenticated
committer can inject files into another user's upload session.
### Details
**Affected Files and Lines:**
- `atr/post/upload.py:126-164` - stage endpoint without authorization checks
- `atr/post/upload.py:44-104` - Upload session creation
The parameters are accepted but ignored, allowing cross-user upload session
manipulation.
### Recommended Remediation
Remove underscore prefixes from `session`, `project_key`, and `version_key`
parameters. Implement authorization checks:
```python
# 1. Verify user has permission to upload to the project
storage.read().as_project_committee_participant(project_key)
# 2. Verify upload_session is bound to the authenticated user
session_metadata = get_upload_session_metadata(upload_session)
if session_metadata['user_id'] != session['uid']:
raise web.ASFQuartException('Upload session does not belong to you',
errorcode=403)
if session_metadata['project_key'] != project_key:
raise web.ASFQuartException('Upload session project mismatch',
errorcode=403)
# 3. Validate the upload_session has not expired
if session_metadata['expires_at'] < datetime.now():
raise web.ASFQuartException('Upload session expired', errorcode=403)
```
Store upload session bindings when created and validate them in the stage
endpoint.
### Acceptance Criteria
- [ ] Authorization parameters used (not ignored)
- [ ] Project permission verified
- [ ] Upload session ownership verified
- [ ] Upload session expiration checked
- [ ] Session bindings stored at creation
- [ ] Unit test verifying the fix
### References
- Source reports: L2:4.4.3.md
- Related findings: FINDING-119
- ASVS sections: 4.4.3
### Priority
High
---
---
**Triage notes:** clean out old code
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
