asf-tooling opened a new issue, #1010:
URL: https://github.com/apache/tooling-trusted-releases/issues/1010
**ASVS Level(s):** [L2-only]
**Description:**
### Summary
Three API distribution models lack cross-field validation for
platform/owner-namespace consistency that exists in the corresponding web form.
API clients can submit distribution records with inconsistent
platform/owner_namespace combinations (e.g., PyPI with namespace, Maven
without) that would be rejected in web forms. No validation that `platform` and
`owner_namespace` are consistent.
### Details
Affected locations in `atr/models/api.py`:
- Line 110: `DistributionRecordArgs`
- Line 136: `DistributionRecordFromWorkflowArgs`
- Line 261: `PublisherDistributionRecordArgs`
All three models accept platform and owner_namespace fields without
validating their relationship. Web forms enforce this validation but API models
don't.
### Recommended Remediation
Add the same validation to all three API models using
`@pydantic.model_validator` to check platform/owner_namespace consistency:
```python
@pydantic.model_validator(mode='after')
def validate_platform_namespace(self) -> 'DistributionRecordArgs':
# Maven requires owner_namespace
if self.platform == 'maven' and not self.distribution_owner_namespace:
raise ValueError("Maven distributions require owner namespace")
# PyPI doesn't use owner_namespace
if self.platform == 'pypi' and self.distribution_owner_namespace:
raise ValueError("PyPI distributions don't use owner namespace")
return self
```
Apply to all three API models: `DistributionRecordArgs`,
`DistributionRecordFromWorkflowArgs`, `PublisherDistributionRecordArgs`.
### Acceptance Criteria
- [ ] All three API models enforce platform/namespace validation
- [ ] Invalid combinations are rejected
- [ ] Validation matches web form behavior
- [ ] Test cases verify validation in all models
- [ ] Unit test verifying the fix
### References
- Source reports: L2:2.2.3.md
- Related findings: FINDING-098
- ASVS sections: 2.2.3
### Priority
Medium
---
---
**Triage notes:** confirm the web does this, that the method does what it
says, possibly abstract it to use a protocol
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
