[I] SBOM score_tool Uses previous_release_version in Path Without Validation (tooling-trusted-releases)

Mon, 30 Mar 2026 18:35:31 -0700 


asf-tooling opened a new issue, #1001:
URL: https://github.com/apache/tooling-trusted-releases/issues/1001

   **ASVS Level(s):** [L1]
   
   **Description:**
   
   ### Summary
   The `score_tool()` function uses `args.previous_release_version` to 
construct file paths for reading previous SBOM data without validating the 
version format. This could allow path traversal to read SBOM files from other 
projects if an attacker can modify task queue arguments.
   
   ### Details
   Affected location: `atr/tasks/sbom.py` lines 140-180
   
   The function constructs paths using unvalidated `previous_release_version`:
   ```python
   previous_path = base_path / args.previous_release_version / "sbom.json"
   ```
   
   Without validation, an attacker with task queue access could use values like 
`../../other-project/1.0.0` to read SBOM files from other projects.
   
   ### Recommended Remediation
   Validate `previous_release_version` using `safe.VersionKey`. Add explicit 
containment check to verify the resolved path is within the expected project 
directory:
   
   ```python
   # Validate version format
   validated_version = safe.VersionKey(args.previous_release_version)
   
   # Construct path
   previous_path = base_path / str(validated_version) / "sbom.json"
   
   # Verify containment
   if not previous_path.resolve().is_relative_to(base_path.resolve()):
       raise ValueError("Path traversal attempt detected")
   ```
   
   ### Acceptance Criteria
   - [ ] previous_release_version is validated using safe.VersionKey
   - [ ] Path containment is verified before file access
   - [ ] Path traversal attempts are rejected
   - [ ] Test cases verify validation
   - [ ] Unit test verifying the fix
   
   ### References
   - Source reports: L1:2.2.2.md
   - Related findings: FINDING-025, FINDING-094
   - ASVS sections: 2.2.2
   
   ### Priority
   Medium
   
   ---


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to