asf-tooling opened a new issue, #1087: URL: https://github.com/apache/tooling-trusted-releases/issues/1087
**ASVS Level(s):** L1 **Description:** ### Summary The storage layer's Write class validates that asf_uid is not None before granting foundation committer access. The Read class lacks this check, creating asymmetry in authorization enforcement between read and write operations. ### Details In `atr/storage/__init__.py` at line 89, the Read class's `as_foundation_committer_outcome()` method does not validate that asf_uid is not None, while the corresponding Write class method does perform this validation. ### Recommended Remediation Add asf_uid validation to `Read.as_foundation_committer_outcome()` matching the check in `Write.as_foundation_committer_outcome()`. Ensure consistent authorization validation across read and write paths. ### Acceptance Criteria - [ ] Read class validates asf_uid is not None - [ ] Consistent authorization validation between read and write - [ ] Unit tests verify validation in both paths ### References - Source reports: L1:8.3.1.md - Related findings: None - ASVS sections: 8.3.1 ### Priority Low --- -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
