asf-tooling opened a new issue, #1042:
URL: https://github.com/apache/tooling-trusted-releases/issues/1042
**ASVS Level(s):** [L1]
**Description:**
### Summary
The `_set_tag()` function allows modification of revision tags through
direct database writes instead of routing through the storage layer. While
project access is validated via `session.release()`, the operation bypasses
storage layer authorization checks and audit logging. Revision tags can be
modified without proper authorization validation or audit trail.
### Details
Affected location: `atr/post/revisions.py` lines 67-95
The function:
1. Validates project access via `session.release()`
2. Directly modifies `revision.tag` attribute
3. Commits to database without storage layer
4. No audit log entry
### Recommended Remediation
Route through storage layer with proper authorization. Create
`write.revisions.set_tag()` method in storage layer that validates
authorization and creates audit log entries:
```python
# In atr/storage/writers/revision.py
class WriteAsCommitteeMember:
async def set_tag(self, revision_key: str, tag: str | None) -> None:
"""Set revision tag with authorization and audit."""
revision = await self._get_revision(revision_key)
# Validate authorization
await self._check_project_access(revision.release.project_key)
# Update tag
revision.tag = tag
# Audit log
await self._append_audit_log(
action='revision_tag_set',
details={
'revision': revision_key,
'tag': tag,
'previous_tag': revision.tag
}
)
# In atr/post/revisions.py
async def _set_tag(session, project_key, version_key, revision_number, tag):
async with write.as_committee_member(session.uid) as ctx:
await ctx.set_tag(revision_key, tag)
```
Replace direct database write with storage layer call.
### Acceptance Criteria
- [ ] Revision tag modification uses storage layer
- [ ] Authorization is validated through storage layer
- [ ] Audit log entries are created
- [ ] Test cases verify storage layer usage
- [ ] Unit test verifying the fix
### References
- Source reports: L1:8.3.1.md
- Related findings: FINDING-009, FINDING-148
- ASVS sections: 8.3.1
### Priority
Medium
---
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
