asf-tooling opened a new issue, #1117: URL: https://github.com/apache/tooling-trusted-releases/issues/1117
**ASVS Level(s):** L2 **Description:** ### Summary The vote tabulation endpoint has JWT authentication enabled but the identity extraction is commented out (`asf_uid = _jwt_asf_uid()` is commented), and the operation uses the lowest privilege level (`as_general_public()`). While ASF voting is transparent, the consumer's identity is not bound to the operation and there's no check that the consumer has any relationship to the project. ### Details In `atr/api/__init__.py` at lines 1255-1290, the vote tabulation endpoint has commented-out identity extraction and uses `as_general_public()` instead of verifying the user has a relationship to the project. ### Recommended Remediation Uncomment the identity extraction line (`asf_uid = _jwt_asf_uid()`). Use the authenticated identity in the storage write context (`storage.write(asf_uid)`). Verify the user has a relationship to the project by checking committee participant status (`write.as_committee_participant(release.project.committee_key)`) before allowing vote tabulation operations. ### Acceptance Criteria - [ ] Identity extraction uncommented - [ ] Authenticated identity used in storage context - [ ] Committee participant status verified - [ ] Unit tests verify authorization checks ### References - Source reports: L2:8.2.3.md - Related findings: None - ASVS sections: 8.2.3 ### Priority Low --- -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
