asf-tooling opened a new issue, #1055:
URL: https://github.com/apache/tooling-trusted-releases/issues/1055
**ASVS Level(s):** L2-only
**Description:**
### Summary
The `/docs/*` endpoints serve internal developer documentation without any
authentication requirements. The `web.Public` session type explicitly marks
these routes as accessible to unauthenticated users. Documentation includes
sensitive information such as OAuth state storage details, architectural
weaknesses (multi-instance deployment state lookup failures), permission
hierarchy bypass methods, filesystem layouts, configuration variable names, and
audit logging mechanisms. Path traversal protection is present and correct, but
no authentication check exists.
### Details
The issue exists in `atr/get/docs.py` lines 57 and 62. Both the `index` and
`page` functions use `web.Public` session type, allowing unauthenticated
access. Sensitive documentation files include `docs/oauth.md` and
`docs/storage-interface.md`.
### Recommended Remediation
**Option A (Recommended):** Require authentication by changing session type:
```python
@docs.get
async def index(session: web.Committer) -> web.QuartResponse: # Changed
from web.Public
# ... implementation
@docs.get
async def page(session: web.Committer, name: safe.RelPath) ->
web.QuartResponse: # Changed from web.Public
# ... implementation
```
**Option B:** Separate public from internal docs:
- Serve only from `docs/public/` directory for unauthenticated users
- Move sensitive docs to `docs/internal/` requiring authentication
**Option C:** Gate behind production mode:
```python
@docs.get
async def page(session: web.Public, name: safe.RelPath) -> web.QuartResponse:
if config.get().PRODUCTION_MODE:
return quart.abort(404)
# ... rest of implementation
```
**Option D:** Implement allowlist of permitted public documentation files
with authentication requirement for others.
### Acceptance Criteria
- [ ] Authentication required for /docs/* endpoints
- [ ] OR: Public/internal documentation separated
- [ ] OR: Production mode gating implemented
- [ ] Unit tests verify unauthenticated access is rejected
- [ ] Unit tests verify authenticated access works
- [ ] Integration tests verify documentation security
- [ ] Documentation updated with access requirements
### References
- Source reports: L2:13.4.5.md
- Related findings: None
- ASVS sections: 13.4.5
### Priority
Medium
---
---
**Triage notes:** audit_guidance yes this is the intention for public
documentation
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
