asf-tooling opened a new issue, #1045:
URL: https://github.com/apache/tooling-trusted-releases/issues/1045
**ASVS Level(s):** L1
**Description:**
### Summary
Two API models (`DistributeSshRegisterArgs` and
`DistributionRecordFromWorkflowArgs`) accept both a JWT token (containing
authenticated identity) and a separate `asf_uid` parameter (client-submitted
identity). If handlers use the client-submitted `asf_uid` for authorization
decisions or audit logging instead of the JWT-derived identity, attackers could
impersonate other users by providing a valid JWT for their own account while
submitting another user's `asf_uid`.
### Details
The vulnerability exists in `atr/models/api.py` at lines 69-88 and 113-140.
These models accept both authentication mechanisms simultaneously, creating
ambiguity about which identity should be trusted. This pattern violates the
principle that identity should be derived exclusively from cryptographically
verified credentials (JWT subject claim) rather than client-supplied parameters.
### Recommended Remediation
Remove the redundant `asf_uid` field from API models and extract identity
exclusively from the JWT subject claim. Alternatively, add a Pydantic model
validator that enforces `asf_uid` matches the JWT subject:
```python
@pydantic.model_validator(mode='after')
def validate_identity_matches_jwt(self) -> 'DistributeSshRegisterArgs':
jwt_subject = get_jwt_subject() # Extract from current request context
if self.asf_uid != jwt_subject:
raise ValueError("Client-submitted identity does not match JWT
subject")
return self
```
### Acceptance Criteria
- [ ] `asf_uid` field removed from both API models, with identity extracted
from JWT only
- [ ] OR: Pydantic validator added that enforces `asf_uid` matches JWT
subject claim
- [ ] All handlers using these models updated to use JWT-derived identity
- [ ] Unit tests verify that mismatched identities are rejected
- [ ] Audit logging uses JWT-derived identity consistently
### References
- Source reports: L1:8.3.1.md
- Related findings: FINDING-150, FINDING-152
- ASVS sections: 8.3.1
### Priority
Medium
---
---
**Triage notes:** make sure user id that comes back is the same as the one
that initiated the task, also add security guidance
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
