asf-tooling opened a new issue, #1051:
URL: https://github.com/apache/tooling-trusted-releases/issues/1051
**ASVS Level(s):** L1, L2
**Description:**
### Summary
The authorization code received from the OAuth callback is interpolated
directly into the token exchange URL without URL encoding (`rv = await
session.get(OAUTH_URL_CALLBACK % code)`). If the authorization code contains
URL-special characters (&, =, #, %), the request URL would be malformed. An
attacker controlling the code parameter could potentially inject additional
query parameters (e.g., `code=legit_code&client_id=other_client`), confusing
server-side logic or bypassing validation checks. While OAuth authorization
codes are typically alphanumeric-only by AS design and the token endpoint
should reject invalid codes, this practice violates defensive programming
principles and could lead to parameter injection if the AS code format changes.
### Details
The vulnerability exists in `src/asfquart/generics.py` line 109, where the
authorization code is directly interpolated into `OAUTH_URL_CALLBACK` (defined
at lines 12-14) using Python string formatting without URL encoding.
### Recommended Remediation
Apply URL-encoding to the authorization code before interpolation:
**Option 1 (Simple):**
```python
import urllib.parse
rv = await session.get(OAUTH_URL_CALLBACK % urllib.parse.quote(code,
safe=''))
```
**Option 2 (Preferred):**
```python
import urllib.parse
# Parse the callback URL and add code as a proper query parameter
callback_url_base = OAUTH_URL_CALLBACK.split('?')[0]
rv = await session.get(callback_url_base, params={'code': code})
```
This ensures proper encoding regardless of code content and prevents
parameter injection attacks.
### Acceptance Criteria
- [ ] Authorization code URL-encoded before interpolation
- [ ] Unit tests verify proper encoding of special characters
- [ ] Unit tests verify parameter injection attempts are prevented
- [ ] Integration tests verify OAuth flow works with encoded codes
- [ ] Code review confirms no other URL interpolation vulnerabilities
### References
- Source reports: L1:10.4.1.md, L1:10.4.2.md, L1:10.4.4.md, L2:10.4.7.md
- Related findings: None
- ASVS sections: 10.4.1, 10.4.2, 10.4.4, 10.4.7
- CWE: CWE-74
### Priority
Medium
---
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
