[I] Vote Duration Not Validated Against Release Policy Minimum (tooling-trusted-releases)

Fri, 03 Apr 2026 12:17:48 -0700 


asf-tooling opened a new issue, #1044:
URL: https://github.com/apache/tooling-trusted-releases/issues/1044

   **ASVS Level(s):** [L1]
   
   **Description:**
   
   ### Summary
   The `start()` function in the vote writer accepts a `vote_duration_choice` 
parameter without validating it against the release's configured minimum voting 
period (`ReleasePolicy.min_hours`). This allows committee participants to 
initiate votes with durations shorter than governance requirements, potentially 
completing votes in 1 hour when policy requires 72 hours.
   
   ### Details
   Affected location: `atr/storage/writers/vote.py` lines 117-167
   
   The function accepts `vote_duration_choice` and creates a vote task without 
checking if the duration meets the policy minimum. This allows governance 
policy bypass.
   
   ### Recommended Remediation
   Add validation against release policy minimum: check if 
`vote_duration_choice < release_policy.min_hours` and raise 
`storage.AccessError` if below minimum:
   
   ```python
   async def start(self, release_key: str, vote_duration_choice: int, ...):
       """Start vote with policy validation."""
       release = await self._get_release(release_key)
       policy = await self._get_policy(release.project_key)
       
       # Validate against policy minimum
       if policy.min_hours and vote_duration_choice < policy.min_hours:
           raise storage.AccessError(
               f"Vote duration {vote_duration_choice}h is less than "
               f"policy minimum {policy.min_hours}h"
           )
       
       # Proceed with vote creation
       # ... existing code
   ```
   
   ### Acceptance Criteria
   - [ ] Vote duration is validated against policy minimum
   - [ ] Votes shorter than policy minimum are rejected
   - [ ] Error message indicates policy requirement
   - [ ] Test cases verify policy enforcement
   - [ ] Unit test verifying the fix
   
   ### References
   - Source reports: L1:8.3.1.md
   - Related findings: FINDING-150
   - ASVS sections: 8.3.1
   
   ### Priority
   Medium
   
   ---


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to