asf-tooling opened a new issue, #1046:
URL: https://github.com/apache/tooling-trusted-releases/issues/1046
**ASVS Level(s):** L2-only
**Description:**
### Summary
Public API endpoints (`/tasks/list`, `/checks/list`, `/releases/list`,
`/ssh-keys/list`) return full SQL model objects without field-level filtering,
exposing internal implementation details to unauthenticated consumers. Fields
like `pid`, `task_args`, `error`, `result`, `asf_uid`, `data`, `inputs_hash`,
`checker_version`, `cached`, `check_cache_key`, `release_policy_id`,
`vote_manual`, `votes`, `github_payload`, `github_nid`, and `github_uid` are
exposed. This violates BOPLA (Break Object Parameter or Level Authorization)
principles by providing access to object properties that should be
internal-only.
### Details
The issue is systemic across multiple endpoints in `atr/api/__init__.py`
(lines 783, 1026) and `atr/models/api.py`. SQL models are serialized directly
to JSON responses without applying field filtering based on consumer
authorization level. Internal fields intended for debugging, caching, and
system operations are exposed to the public internet.
### Recommended Remediation
Define public-safe response models that explicitly include only fields
appropriate for public consumption:
```python
class TaskPublicView(pydantic.BaseModel):
id: int
status: str
task_type: str
project_key: str
version_key: str
added: datetime
completed: Optional[datetime]
# Exclude: pid, task_args, error, result, asf_uid
class CheckResultPublicView(pydantic.BaseModel):
id: int
check_name: str
status: str
message: Optional[str]
# Exclude: inputs_hash, checker_version, cached, check_cache_key
```
Apply field filtering by converting SQL models to Safe models before
serialization.
### Acceptance Criteria
- [ ] Public-safe response models created for Task, CheckResult, Release,
and SSHKey entities
- [ ] All public API endpoints updated to use filtered response models
- [ ] Internal fields no longer exposed in public API responses
- [ ] Unit tests verify field filtering is applied correctly
- [ ] Integration tests confirm public endpoints return only safe fields
### References
- Source reports: L2:8.2.3.md
- Related findings: FINDING-153
- ASVS sections: 8.2.3
### Priority
Medium
---
---
**Triage notes:** audit_guidance about public endpoints, add to what's there
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
