asf-tooling opened a new issue, #1018:
URL: https://github.com/apache/tooling-trusted-releases/issues/1018
**ASVS Level(s):** [L2-only]
**Description:**
### Summary
The `upload_session` parameter functions as a dedicated token for the
multi-step upload process. However, this token does not comply with ASVS
session management requirements for dedicated tokens used outside standard
session management. The token is typed as `unsafe.UnsafeStr` with no guarantee
of cryptographic randomness, no user binding verification, no expiration
mechanism, no revocation capability, and no scope limitation to specific
projects/versions.
### Details
Affected locations:
- `atr/post/upload.py` line 126: stage endpoint accepts upload_session
- `atr/post/upload.py` line 44: finalise endpoint uses upload_session
The token is used to correlate staging and finalization operations but lacks
proper session management properties:
- No cryptographic randomness guarantee
- No user binding
- No expiration (sessions persist indefinitely)
- No revocation mechanism
- No scope limitation
### Recommended Remediation
Implement proper session management for upload tokens:
1. Generate tokens server-side using `secrets.token_urlsafe(32)` for 256
bits of entropy
2. Store session metadata in database/cache including:
- session_id
- user_id
- project_key
- version_key
- created_at
- expires_at (24-hour TTL recommended)
3. Validate all session properties in both stage and finalise endpoints:
- User binding
- Scope limitation
- Expiration
4. Implement cleanup task to remove expired sessions and staging directories
5. Provide revocation API for users to invalidate sessions before expiration
```python
# Generate session
upload_session = secrets.token_urlsafe(32)
await store_session_metadata(
session_id=upload_session,
user_id=session.uid,
project_key=project_key,
version_key=version_key,
created_at=datetime.utcnow(),
expires_at=datetime.utcnow() + timedelta(hours=24)
)
# Validate session
session_data = await get_session_metadata(upload_session)
if not session_data or session_data.expires_at < datetime.utcnow():
raise exceptions.Unauthorized("Invalid or expired upload session")
if session_data.user_id != session.uid:
raise exceptions.Unauthorized("Upload session belongs to different user")
```
### Acceptance Criteria
- [ ] Upload tokens use cryptographic randomness
- [ ] Session metadata is stored and validated
- [ ] Expired sessions are cleaned up automatically
- [ ] User binding is enforced
- [ ] Scope limitation is enforced
- [ ] Test cases verify session management
- [ ] Unit test verifying the fix
### References
- Source reports: L2:4.4.3.md
- Related findings: FINDING-031
- ASVS sections: 4.4.3
### Priority
Medium
---
---
**Related issue:**
https://github.com/apache/tooling-trusted-releases/issues/968
---
**Triage notes:** related to
https://github.com/apache/tooling-trusted-releases/issues/968
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
