asf-tooling opened a new issue, #1081:
URL: https://github.com/apache/tooling-trusted-releases/issues/1081
**ASVS Level(s):** L1
**Description:**
### Summary
The KEYS file web upload endpoint in `atr/post/keys.py` accepts file uploads
without validating the file extension. While the file content IS validated by
PGP parsing (rejecting non-PGP content), the absence of extension checking
violates ASVS 5.2.2's explicit requirement to 'check if the file extension
matches an expected file extension.' The upload handler processes files with
any extension (including potentially confusing extensions like .exe) as long as
they contain valid PGP key data.
### Details
In `atr/post/keys.py` at lines 284-305, the `_upload_file_keys()` function
processes uploaded files without verifying the file extension. No verification
is performed that the uploaded file has an expected extension such as .asc,
.gpg, .key, .pub, .txt, or no extension.
### Recommended Remediation
Add file extension validation before content processing. Validate that the
uploaded file has an expected extension from the allowlist: {"", ".asc",
".gpg", ".key", ".pub", ".txt"}.
```python
async def _upload_file_keys(upload_file_form: shared.keys.UploadFileForm) ->
str:
if upload_file_form.key is None:
await quart.flash("No KEYS file uploaded", "error")
return await shared.keys.render_upload_page(error=True)
# Validate file extension
filename = upload_file_form.key.filename or ""
allowed_extensions = {"", ".asc", ".gpg", ".key", ".pub", ".txt"}
ext = pathlib.PurePath(filename).suffix.lower()
if ext not in allowed_extensions:
await quart.flash(
f"Unexpected file extension '{ext}'. "
f"Expected a PGP key file ({',
'.join(sorted(allowed_extensions))}).",
"error"
)
return await shared.keys.render_upload_page(error=True)
keys_content = await asyncio.to_thread(upload_file_form.key.read)
keys_text = keys_content.decode("utf-8", errors="replace")
await _process_keys(keys_text)
```
### Acceptance Criteria
- [ ] File extension validation implemented before content processing
- [ ] Only allowed extensions accepted
- [ ] Clear error messages for invalid extensions
- [ ] Unit test verifying extension validation
### References
- Source reports: L1:5.2.2.md
- Related findings: None
- ASVS sections: 5.2.2
### Priority
Low
---
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
