asf-tooling opened a new issue, #1038:
URL: https://github.com/apache/tooling-trusted-releases/issues/1038
**ASVS Level(s):** [L2-only]
**Description:**
### Summary
Three admin pages return `web.ElementResponse()` with form HTML elements,
but the `web.ElementResponse()` implementation was not provided in audit scope.
If `web.ElementResponse` renders only HTML fragments without wrapping them in
`base.html`, these pages will lack the topnav navigation and logout button.
Authenticated admin users on `keys_check_get`, `keys_regenerate_all_get`, and
`delete_test_openpgp_keys_get` pages may have no visible logout mechanism,
violating ASVS 7.4.4.
### Details
Affected locations:
- `atr/admin/__init__.py` line 442: keys_check_get returns
web.ElementResponse()
- `atr/admin/__init__.py` line 466: keys_regenerate_all_get returns
web.ElementResponse()
- `atr/admin/__init__.py` line 392: delete_test_openpgp_keys_get returns
web.ElementResponse()
The `web.ElementResponse()` implementation was not provided, making it
impossible to verify logout button presence.
### Recommended Remediation
**Option 1:** Modify `web.ElementResponse` class to wrap content in base
layout with title parameter, creating `layouts/element-wrapper.html` that
extends `base.html`:
```python
class ElementResponse:
def __init__(self, element, title="Admin"):
self.element = element
self.title = title
def render(self):
# Wrap element in base layout with topnav
return template.render('layouts/element-wrapper.html', {
'title': self.title,
'content': self.element
})
```
**Option 2:** Switch affected handlers (`keys_check_get`,
`keys_regenerate_all_get`, `delete_test_openpgp_keys_get`) to use
`template.render()` with `admin/form-page.html` template to ensure logout
button presence through base layout inheritance.
### Acceptance Criteria
- [ ] Admin pages using web.ElementResponse() include logout button
- [ ] Logout button is visible and functional on all admin pages
- [ ] Response wrapping is verified
- [ ] Test cases verify logout button presence
- [ ] Unit test verifying the fix
### References
- Source reports: L2:7.4.4.md
- Related findings: FINDING-137, FINDING-254
- ASVS sections: 7.4.4
### Priority
Medium
---
---
**Triage notes:** just admin routes need to be fixed
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
