asf-tooling opened a new issue, #1009:
URL: https://github.com/apache/tooling-trusted-releases/issues/1009
**ASVS Level(s):** [L2-only]
**Description:**
### Summary
The `AddProjectForm` validates the `committee_key` field against itself
(from a user-controllable hidden field) rather than cross-validating against
the URL parameter used for authorization. User authorized for committee 'infra'
via URL can modify hidden field to 'security' before submission. Form validator
checks project label starts with 'security-' (passes) but handler creates
project under 'infra' committee with 'security-' prefix, bypassing naming
conventions.
### Details
Affected locations:
- `atr/shared/projects.py` lines 31-73: Form validates against hidden field
- `atr/post/projects.py` lines 27-42: Handler uses URL parameter
The validator checks that the project label matches the committee_key from
the hidden field, but the handler uses the committee_key from the URL for
actual authorization and project creation. This mismatch allows naming
convention bypass.
### Recommended Remediation
Pass the URL parameter into Pydantic validation context or verify
consistency in handler before proceeding:
```python
async def add_project(session, committee_key, project_form):
# Verify hidden field matches URL parameter
if project_form.committee_key != str(committee_key):
raise exceptions.BadRequest("Committee key mismatch")
# Proceed with project creation
```
Alternative: Pass committee_key from URL into Pydantic validation context
and validate against that instead of the hidden field.
### Acceptance Criteria
- [ ] Hidden field is validated against URL parameter
- [ ] Mismatched committee keys are rejected
- [ ] Test cases verify cross-validation
- [ ] Unit test verifying the fix
### References
- Source reports: L2:2.2.3.md
- Related findings: FINDING-101
- ASVS sections: 2.2.3
### Priority
Medium
---
---
### Consolidated: FINDING-101 - URL Parameter Not Cross-Validated With Form
Project Key
**ASVS Level(s):** [L2-only]
**Description:**
### Summary
The `EditProjectForm` contains a hidden `project_key` field that is not
cross-validated against the URL parameter used for authorization and data
retrieval. While the handler correctly uses the URL parameter for authorization
and data access, the lack of cross-validation creates potential for confusion
if form validators or downstream code reference the form's `project_key` field,
assuming it matches the authorized context.
### Details
Affected locations:
- `atr/shared/projects.py` lines 75-119: EditProjectForm with hidden
project_key
- `atr/post/projects.py` lines 45-65: Handler uses URL parameter
The form contains a hidden project_key field that could be modified by the
user, but the handler uses the URL parameter for actual operations. This
creates potential for mismatch between the form's project_key and the
authorized context.
### Recommended Remediation
Add cross-validation in the form or handler to verify `form.project_key`
matches the URL parameter before proceeding:
```python
async def edit_project(session, project_key, project_form):
# Verify hidden field matches URL parameter
if project_form.project_key != str(project_key):
raise exceptions.BadRequest("Project key mismatch")
# Proceed with project update
```
### Acceptance Criteria
- [ ] Hidden project_key is validated against URL parameter
- [ ] Mismatched project keys are rejected
- [ ] Test cases verify cross-validation
- [ ] Unit test verifying the fix
### References
- Source reports: L2:2.2.3.md
- Related findings: FINDING-099
- ASVS sections: 2.2.3
### Priority
Medium
---
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
