asf-tooling opened a new issue, #1043:
URL: https://github.com/apache/tooling-trusted-releases/issues/1043
**ASVS Level(s):** [L1]
**Description:**
### Summary
The `checks.py` writer implements a validation pattern to ensure a project
belongs to the committee the user is acting as a member of. This control is not
consistently applied across other writer classes (`distributions.py`,
`policy.py`, `release.py`, `revision.py`, `sbom.py`), creating potential for
cross-committee authorization bypass if future code changes introduce direct
committee-level access.
### Details
Affected locations:
- `atr/storage/writers/distributions.py`: No project-committee validation
- `atr/storage/writers/policy.py`: No project-committee validation
- `atr/storage/writers/release.py`: No project-committee validation
- `atr/storage/writers/revision.py`: No project-committee validation
- `atr/storage/writers/sbom.py`: No project-committee validation
The `checks.py` writer validates that projects belong to the committee
context, but other writers don't apply this validation consistently.
### Recommended Remediation
Extract shared validation to base class
`WriteAsCommitteeMember._validate_project_in_committee()` and apply in all
writer methods accepting project/release keys:
```python
# In atr/storage/writers/base.py
class WriteAsCommitteeMember:
async def _validate_project_in_committee(self, project_key: str) -> None:
"""Validate that project belongs to this committee."""
project = await self._get_project(project_key)
if project.committee_key != self.committee_key:
raise storage.AccessError(
f"Project {project_key} does not belong to "
f"committee {self.committee_key}"
)
# Apply in all writer methods:
async def some_operation(self, project_key: str, ...):
await self._validate_project_in_committee(project_key)
# ... proceed with operation
```
Add validation that project belongs to the committee context in all storage
writer methods.
### Acceptance Criteria
- [ ] Project-committee validation is applied consistently
- [ ] Shared validation exists in base class
- [ ] All writers use consistent validation
- [ ] Test cases verify cross-committee access is blocked
- [ ] Unit test verifying the fix
### References
- Source reports: L1:8.3.1.md
- Related findings: FINDING-147
- ASVS sections: 8.3.1
### Priority
Medium
---
---
**Triage notes:** audit_guidance about projects not moving committees,
moving from podling to tlp, project going to or from attic, do not surmise
future code changes
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
