asf-tooling opened a new issue, #998:
URL: https://github.com/apache/tooling-trusted-releases/issues/998
**ASVS Level(s):** [L1]
**Description:**
### Summary
The finish-phase operations (file movement, directory deletion, RC tag
removal) in `atr/post/finish.py` are intended for the RELEASE_PREVIEW phase
after vote resolution. While the GET handler correctly enforces `phase ==
RELEASE_PREVIEW`, the POST handler dispatches directly to operation handlers
without phase validation. This allows finish operations to execute during any
phase, including RELEASE_CANDIDATE (during active voting).
### Details
Affected locations:
- `atr/post/finish.py` lines 31-42: POST handler dispatches without phase
check
- `atr/get/finish.py` line 138: GET handler correctly enforces phase
The POST handler calls `_delete_empty_directory`, `_move_file_to_revision`,
`_remove_rc_tags` directly without verifying the release is in RELEASE_PREVIEW
phase.
### Recommended Remediation
Add phase validation to the `selected()` POST handler before dispatching to
operation handlers. Fetch the release using `session.release()` with
`phase=sql.ReleasePhase.RELEASE_PREVIEW` to enforce that finish operations can
only execute during the preview phase:
```python
async def selected(session, project_key, version_key, form):
release = await session.release(
project_key=project_key,
version_key=version_key,
phase=sql.ReleasePhase.RELEASE_PREVIEW
)
# ... proceed with operations
```
### Acceptance Criteria
- [ ] Finish operations require RELEASE_PREVIEW phase
- [ ] Attempting finish operations in other phases returns appropriate error
- [ ] Integration tests verify phase enforcement
- [ ] Unit test verifying the fix
### References
- Source reports: L1:2.3.1.md
- Related findings: FINDING-086, FINDING-023
- ASVS sections: 2.3.1
### Priority
Medium
---
---
### Consolidated: FINDING-086 - Draft-Phase File Operations Executable
During Any Release Phase
**ASVS Level(s):** [L1]
**Description:**
### Summary
Four draft-phase file operations (`delete_file`, `hashgen`, `sbomgen`,
`quarantine_clear`) in `atr/post/draft.py` create new revisions without
validating the release phase. Additionally, the `upload.py::stage()` function
uses underscore-prefixed parameter names (`_project_key`, `_version_key`) that
bypass the `post.typed` decorator's automatic `check_access()` authorization,
allowing file uploads without project access validation. The draft operations
call `create_revision_with_quarantine()` which fetches releases without phase
filters, enabling operations during any phase including RELEASE_CANDIDATE.
### Details
Affected locations:
- `atr/post/draft.py` lines 92-116: Draft operations without phase validation
- `atr/post/upload.py` lines 109-152: Upload staging bypasses authorization
Draft operations can execute during RELEASE_CANDIDATE phase when they should
only be allowed during DRAFT phase. Upload staging bypasses project access
checks due to underscore-prefixed parameters.
### Recommended Remediation
**For draft operations:** Add phase validation using `session.release()`
with `phase=sql.ReleasePhase.RELEASE_CANDIDATE_DRAFT` before executing file
operations:
```python
release = await session.release(
project_key=project_key,
version_key=version_key,
phase=sql.ReleasePhase.RELEASE_CANDIDATE_DRAFT
)
```
**For upload staging:** Remove underscore prefixes from `project_key` and
`version_key` parameters to enable automatic authorization via `post.typed`
decorator. Add explicit phase validation to ensure uploads only occur during
writable phases (DRAFT or PREVIEW).
### Acceptance Criteria
- [ ] Draft operations require RELEASE_CANDIDATE_DRAFT phase
- [ ] Upload staging enforces project access authorization
- [ ] Phase validation prevents operations during inappropriate phases
- [ ] Integration tests verify enforcement
- [ ] Unit test verifying the fix
### References
- Source reports: L1:2.3.1.md
- Related findings: FINDING-085, FINDING-087, FINDING-023
- ASVS sections: 2.3.1
### Priority
Medium
---
---
### Consolidated: FINDING-087 - SBOM Operations Bypass Release Phase
Validation
**ASVS Level(s):** [L1]
**Description:**
### Summary
SBOM (Software Bill of Materials) augmentation and scanning operations in
`atr/post/sbom.py` create background tasks that generate new revisions. The
`_augment()` and `_scan()` functions fetch releases using `data.release()`
without phase validation, allowing SBOM operations during any phase including
RELEASE_CANDIDATE (during voting) and RELEASE (after announcement). These
background tasks call `create_revision_with_quarantine()` which creates new
revisions regardless of current phase.
### Details
Affected locations:
- `atr/post/sbom.py` line 57: `_augment()` fetches release without phase
filter
- `atr/post/sbom.py` line 84: `_scan()` fetches release without phase filter
Background tasks can generate new revisions during voting or after release
announcement, when compose operations should not be allowed.
### Recommended Remediation
Replace direct database access with `session.release()` which defaults to
RELEASE_CANDIDATE_DRAFT phase. This ensures SBOM operations can only execute
during the draft phase when compose operations are appropriate:
```python
# In _augment() and _scan() functions:
release = await session.release(
project_key=args.project_key,
version_key=args.version_key,
phase=sql.ReleasePhase.RELEASE_CANDIDATE_DRAFT
)
```
Apply this fix to both `_augment()` and `_scan()` functions.
### Acceptance Criteria
- [ ] SBOM operations require RELEASE_CANDIDATE_DRAFT phase
- [ ] Operations during other phases return appropriate error
- [ ] Background tasks respect phase restrictions
- [ ] Integration tests verify phase enforcement
- [ ] Unit test verifying the fix
### References
- Source reports: L1:2.3.1.md
- Related findings: FINDING-086
- ASVS sections: 2.3.1
### Priority
Medium
---
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
