asf-tooling opened a new issue, #1015:
URL: https://github.com/apache/tooling-trusted-releases/issues/1015
**ASVS Level(s):** [L1]
**Description:**
### Summary
The API blueprint explicitly exempts all endpoints from CSRF validation. For
the 8 API endpoints that use session cookie authentication (via
`common.authenticate()`) rather than JWT Bearer tokens, the only explicit
cross-origin protection is SameSite=Strict. While this is currently effective,
the application also has an implicit Content-Type enforcement through
`quart_schema.validate_request` → `get_json()`, which rejects
non-application/json requests. However, this is a side-effect of the validation
library, not an explicit security control documented or designed as a security
mechanism. If quart_schema or Quart is updated to use `get_json(force=True)` or
a more permissive parser, this protection would silently disappear without any
security test failure or code review flag.
### Details
Affected locations:
- `atr/blueprints/api.py` lines 145-148: CSRF exemption
- `atr/blueprints/api.py` lines 157-159: before_request hook
- `atr/blueprints/common.py` lines 228-233: authenticate() function
- `atr/api/__init__.py`: Session-authenticated endpoints
The implicit Content-Type enforcement is not documented as a security
control and could disappear with library updates.
### Recommended Remediation
**Option 1: Explicit Content-Type Enforcement (Recommended)**
```python
@_BLUEPRINT.before_request
@rate_limiter.rate_limit(500, datetime.timedelta(hours=1))
async def _api_rate_limit() -> None:
"""Set API-wide rate limit and enforce CORS preflight for POST
requests."""
if quart.request.method in ("POST", "PUT", "PATCH", "DELETE"):
content_type = (quart.request.content_type or
"").split(";")[0].strip()
if content_type not in ("application/json", ""):
return quart.jsonify({"error": "Content-Type must be
application/json"}), 415
```
**Option 2:** Require X-Requested-With header for session-authenticated
requests
**Option 3:** Validate request origin for state-changing operations
### Acceptance Criteria
- [ ] Explicit Content-Type enforcement for API requests
- [ ] Non-JSON requests are rejected with 415 status
- [ ] Protection doesn't depend on implicit library behavior
- [ ] Test cases verify Content-Type enforcement
- [ ] Unit test verifying the fix
### References
- Source reports: L1:3.5.2.md
- Related findings: None
- ASVS sections: 3.5.2
### Priority
Medium
---
---
**Triage notes:** @sbp check quart_schema
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
