asf-tooling opened a new issue, #964:
URL: https://github.com/apache/tooling-trusted-releases/issues/964
**ASVS Level(s):** [L1, L2]
**Description:**
### Summary
Four SBOM task functions (generate_sbom, score_tool, score_attestation,
score_osv) use `args.file_path` and `args.revision_number` directly in file
system path construction without validating that the path is contained within
the expected project/revision directory. While the initial form submission
validates the path using `safe.RelPath`, the task function re-uses the string
value without re-validating containment, creating a TOCTOU-style vulnerability.
Attackers who can modify database or task queue can inject path traversal to
read/write files in other projects' directories.
### Details
**Affected Files and Lines:**
- `atr/tasks/sbom.py:50-120` - generate_sbom without path validation
- `atr/tasks/sbom.py:140-180` - score_tool without path validation
- `atr/tasks/sbom.py:200-240` - score_attestation without path validation
- `atr/tasks/sbom.py:260-300` - score_osv without path validation
- `atr/tasks/sbom.py:76` - Path construction point
- `atr/tasks/sbom.py:110` - Path construction point
- `atr/tasks/sbom.py:155` - Path construction point
- `atr/tasks/sbom.py:180` - Path construction point
The task model uses unvalidated path components, bypassing the safe type
system and allowing path traversal if database/queue is compromised.
### Recommended Remediation
Re-validate `file_path` as `safe.RelPath` in task functions:
```python
# At start of each task function
validated_path = safe.RelPath(args.file_path)
validated_revision = safe.RevisionNumber(args.revision_number)
# Construct full path
full_path = project_dir / validated_revision / validated_path
# Add explicit containment check
if not full_path.resolve().is_relative_to(project_dir / validated_revision):
raise ValueError("Path traversal detected")
```
Update `SBOMGenerateArgs` and `FileArgs` Pydantic models to use
`safe.RelPath` and `safe.RevisionNumber` types instead of `str`. Apply fixes to
all 4 affected functions. Add a Pydantic `@model_validator` to validate path
components.
### Acceptance Criteria
- [ ] Path validation added to all 4 functions
- [ ] Containment check enforces directory boundaries
- [ ] Pydantic models use safe types
- [ ] Model validator added
- [ ] Integration test verifies path traversal prevention
- [ ] Unit test verifying the fix
### References
- Source reports: L1:2.2.2.md, L2:2.2.3.md
- Related findings: FINDING-093, FINDING-094
- ASVS sections: 2.2.2, 2.2.3
### Priority
High
---
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
