asf-tooling opened a new issue, #1021:
URL: https://github.com/apache/tooling-trusted-releases/issues/1021
**ASVS Level(s):** [L1]
**Description:**
### Summary
The DISALLOWED_FILENAMES check runs as a background task after files are
already stored in the revision directory. This creates a window where dangerous
files (such as .htaccess, .htpasswd, or private keys) exist in storage before
being flagged, with no automatic remediation mechanism. The data flow is: User
uploads file → stored in staging → finalized into revision → file exists in
unfinished/project/version/revision/ directory → LATER background task reports
the issue → no automatic remediation occurs.
### Details
Affected locations:
- `atr/tasks/checks/paths.py` lines 181-195: Background check for disallowed
filenames
- `atr/post/upload.py`: Upload staging without filename validation
- `atr/analysis.py` lines 57-69: Disallowed filename patterns
The check happens asynchronously after files are already written to disk,
creating a window where dangerous files exist in storage.
### Recommended Remediation
Add upload-time blocking in the staging flow:
**(1)** Create `_validate_upload_filename()` function that checks against
DISALLOWED_FILENAMES and DISALLOWED_SUFFIXES before saving uploaded files:
```python
def _validate_upload_filename(filename: str) -> None:
"""Validate filename against disallowed patterns before upload."""
from atr.analysis import DISALLOWED_FILENAMES, DISALLOWED_SUFFIXES
if filename in DISALLOWED_FILENAMES:
raise exceptions.BadRequest(f"Filename '{filename}' is not allowed")
for suffix in DISALLOWED_SUFFIXES:
if filename.endswith(suffix):
raise exceptions.BadRequest(f"File extension '{suffix}' is not
allowed")
```
**(2)** Add validation in `atr/storage/writers/revision.py` during
`create_revision_with_quarantine()` as defense-in-depth to reject disallowed
filenames and extensions before writing files.
### Acceptance Criteria
- [ ] Disallowed filenames are rejected at upload time
- [ ] Files never reach storage if filename is disallowed
- [ ] Defense-in-depth check exists in revision creation
- [ ] Test cases verify upload-time rejection
- [ ] Unit test verifying the fix
### References
- Source reports: L1:5.3.1.md
- Related findings: FINDING-235, FINDING-236
- ASVS sections: 5.3.1
### Priority
Medium
---
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
