asf-tooling opened a new issue, #1039:
URL: https://github.com/apache/tooling-trusted-releases/issues/1039
**ASVS Level(s):** [L1, L2]
**Description:**
### Summary
Three distribution POST handlers and one GET handler do not call
`session.check_access(project_key)` before accessing project-scoped data. The
POST handlers have mitigating storage-layer authorization
(`write_as_committee_member()`), but the GET handler (`list_get`) exposes
distribution records and workflow task details to any authenticated committer.
The inconsistency creates potential for future regression if `check_access`
adds security-relevant validation beyond what the storage layer provides.
### Details
Affected locations:
- `atr/get/distribution.py` line 180: list_get() without check_access()
- `atr/get/distribution.py` line 192: record_selected() without
check_access()
- `atr/get/distribution.py` line 205: stage_automate_selected() without
check_access()
- `atr/post/distribution.py`: POST handlers without check_access()
The GET handler exposes data without authorization check, while POST
handlers rely on storage layer.
### Recommended Remediation
Add `await session.check_access(project_key)` at the beginning of all four
functions: `list_get()`, `record_selected()`, `stage_automate_selected()`, and
`stage_record_selected()`:
```python
async def list_get(session, project_key, version_key):
# Add authorization check
await session.check_access(project_key)
# Remove underscore prefix from _session parameter
# ... existing code
```
Remove underscore prefix from `_session` parameter in `list_get()`. This
ensures consistent authorization checks across all distribution endpoints.
### Acceptance Criteria
- [ ] All distribution endpoints call check_access()
- [ ] Authorization is consistent across GET and POST handlers
- [ ] Defense-in-depth is maintained
- [ ] Test cases verify authorization checks
- [ ] Unit test verifying the fix
### References
- Source reports: L1:8.2.2.md, L2:8.2.3.md
- Related findings: FINDING-041
- ASVS sections: 8.2.2, 8.2.3
### Priority
Medium
---
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
