[I] Thread ID Parameter Lacks Format Validation Before Server-Side Request (tooling-trusted-releases)

Mon, 30 Mar 2026 18:35:20 -0700 


asf-tooling opened a new issue, #996:
URL: https://github.com/apache/tooling-trusted-releases/issues/996

   **ASVS Level(s):** [L2-only]
   
   **Description:**
   
   ### Summary
   The `votes` function accepts `thread_id` as plain str type without format 
validation or safe type wrapper. No rejection of path traversal sequences 
(`../../`), fragments (`#`), or query parameters (`?`). While JWT 
authentication limits attack surface and domain remains hardcoded, lack of 
validation creates risk of path traversal within lists.apache.org domain or API 
endpoint manipulation if downstream `util.thread_messages()` doesn't properly 
validate.
   
   ### Details
   Affected locations:
   - `atr/tabulate.py` lines 131-176: votes function accepts unvalidated 
thread_id
   - `atr/tabulate.py` lines 261-267: thread_id used in server-side request
   
   The thread_id parameter is used to construct URLs for server-side requests 
to lists.apache.org without format validation, potentially allowing path 
traversal or endpoint manipulation.
   
   ### Recommended Remediation
   **Option 1 (Recommended):** Create ThreadId safe type in 
`atr/models/safe.py` with pattern validation (`^[a-zA-Z0-9]{1,128}$`) to 
restrict to alphanumeric characters only. Update function signature:
   
   ```python
   async def votes(committee: sql.Committee | None, thread_id: ThreadId)
   ```
   
   **Option 2:** Add `_validate_thread_id()` function at entry point to 
validate format before use.
   
   ### Acceptance Criteria
   - [ ] thread_id parameter uses safe type or explicit validation
   - [ ] Path traversal sequences are rejected
   - [ ] Only alphanumeric thread IDs are accepted
   - [ ] Unit tests verify validation logic
   
   ### References
   - Source reports: L2:1.3.6.md
   - Related findings: None
   - ASVS sections: 1.3.6
   
   ### Priority
   Medium
   
   ---
   
   ---
   
   **Triage notes:** add a safe thread type


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to