[I] HTTP Redirects Followed Without Target Domain Validation (tooling-trusted-releases)

Mon, 30 Mar 2026 18:35:20 -0700 


asf-tooling opened a new issue, #995:
URL: https://github.com/apache/tooling-trusted-releases/issues/995

   **ASVS Level(s):** [L2-only]
   
   **Description:**
   
   ### Summary
   The `_fetch_keys_from_url` function uses `allow_redirects=True` without 
validating redirect target domains. If downloads.apache.org were compromised or 
DNS-hijacked, the application would follow redirects to arbitrary destinations 
including cloud metadata endpoints (169.254.169.254), internal services, or 
attacker-controlled servers. Response data from redirect targets is read and 
stored in database.
   
   ### Details
   Affected locations:
   - `atr/post/keys.py` lines 186-206: Redirect following without validation
   - `atr/post/keys.py` lines 207-210: Response data stored
   - `scripts/keys_import.py` lines 137-140: Same vulnerability in import script
   
   If downloads.apache.org is compromised, redirects could target internal 
infrastructure or cloud metadata endpoints, enabling SSRF attacks.
   
   ### Recommended Remediation
   Implement redirect target validation:
   
   1. Create domain allowlist: `_ALLOWED_KEYS_DOMAINS` with 
`downloads.apache.org`, `dlcdn.apache.org`, `archive.apache.org`
   2. Set `allow_redirects=False`
   3. Manually handle redirects with validation
   4. Create `_validate_keys_url()` function to check:
      - Scheme (HTTPS only)
      - Hostname (against allowlist)
      - Port (443 only)
   5. Only follow redirects after validation passes
   
   ### Acceptance Criteria
   - [ ] Redirect target validation is implemented
   - [ ] Only HTTPS redirects to allowed domains are followed
   - [ ] Cloud metadata endpoints cannot be reached via redirect
   - [ ] Unit tests verify redirect validation logic
   
   ### References
   - Source reports: L2:1.3.6.md
   - Related findings: None
   - ASVS sections: 1.3.6
   
   ### Priority
   Medium
   
   ---
   
   ---
   
   **Triage notes:** in-line audit_guidance, known issue and the code will 
change


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to