asf-tooling opened a new issue, #974:
URL: https://github.com/apache/tooling-trusted-releases/issues/974
**ASVS Level(s):** [L1]
**Description:**
### Summary
The check result endpoint calls `session.check_access(project_key)` to
verify the user has access to the specified project, but then fetches the check
result record solely by its integer `check_id` without verifying it belongs to
the validated release. This allows an authenticated committer to retrieve
detailed check results from any project by guessing or enumerating check IDs.
An attacker can authenticate for one project, pass that project's `project_key`
to satisfy the authorization check, but provide a `check_id` from a different
project to access cross-project check results.
### Details
**Affected Files and Lines:**
- `atr/get/result.py:33-62` - Check result endpoint with IDOR
- `atr/get/result.py:55` - Check result fetch without release scoping
- `atr/get/result.py:28` - Authorization check on project only
The authorization validates project access but the data fetch uses only the
check_id, creating a cross-project data access vulnerability.
### Recommended Remediation
Scope check result query to validated release:
```python
# After fetching release
check_result = db_session.query(sql.CheckResult).filter_by(
id=check_id,
release_key=release.key # Add release scoping
).first()
if not check_result:
raise base.ASFQuartException('Check result not found', errorcode=404)
```
**Alternative:** Add explicit validation after fetching:
```python
check_result = db_session.get(sql.CheckResult, check_id)
if check_result.release_key != release.key:
raise base.ASFQuartException('Check result not found', errorcode=404)
```
Audit all endpoints using integer IDs for similar IDOR vulnerabilities. Add
integration test attempting cross-project check result access. Consider using
composite keys (release_key + check_sequence) instead of global IDs. Add rate
limiting to check result endpoints to prevent enumeration.
### Acceptance Criteria
- [ ] Check result query scoped to release
- [ ] Cross-project access prevented
- [ ] Integration test verifies IDOR prevention
- [ ] Other endpoints audited for similar issues
- [ ] Rate limiting considered
- [ ] Unit test verifying the fix
### References
- Source reports: L1:8.1.1.md, L1:8.2.2.md
- Related findings: FINDING-039
- ASVS sections: 8.1.1, 8.2.2
### Priority
High
---
---
**Triage notes:** audit_guidance copy
https://github.com/apache/tooling-trusted-releases/blob/main/atr/docs/code-policies.md
in
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
