asf-tooling opened a new issue, #1103:
URL: https://github.com/apache/tooling-trusted-releases/issues/1103
**ASVS Level(s):** L1
**Description:**
### Summary
The vote casting POST handler in `atr/post/vote.py` validates that a vote
thread exists but does not explicitly check that the release is in
RELEASE_CANDIDATE phase. If a vote thread exists from a previous voting round
and the release was moved back to RELEASE_CANDIDATE_DRAFT (after a failed
vote), the stale thread would still exist while the release is no longer in the
voting phase. The handler relies on the indirect check that `send_user_vote()`
validates vote thread existence, but this doesn't prevent votes on stale
threads.
### Details
The issue exists in `atr/post/vote.py` and `atr/shared/vote.py`. The vote
casting handler does not explicitly validate the release phase before accepting
votes.
### Recommended Remediation
Add explicit phase validation in `selected_post()` before processing votes:
```python
@vote.typed
async def selected_post(
session: web.Committer,
project_key: safe.ProjectKey,
version_key: safe.VersionKey,
form: form.VoteForm
) -> web.QuartResponse:
"""Cast vote with explicit phase validation."""
# Fetch release
release = # ... fetch from database
# Explicit phase check for defense-in-depth
if release.phase != sql.ReleasePhase.RELEASE_CANDIDATE:
return await render(
"vote/error.html",
error="Voting is only allowed for releases in RELEASE_CANDIDATE
phase"
)
# Validate vote thread exists
if not release.vote_thread_url:
return await render(
"vote/error.html",
error="No active vote thread for this release"
)
# Process vote
# ... rest of implementation
```
This provides defense in depth beyond the vote thread existence check.
### Acceptance Criteria
- [ ] Explicit phase validation added to vote casting handler
- [ ] Error message returned when release is not in RELEASE_CANDIDATE phase
- [ ] Unit tests verify votes are rejected for non-CANDIDATE phases
- [ ] Unit tests verify votes are accepted for RELEASE_CANDIDATE phase
- [ ] Integration tests verify vote casting phase validation
- [ ] Manual testing confirms stale vote threads cannot be used
### References
- Source reports: L1:2.3.1.md
- Related findings: None
- ASVS sections: 2.3.1
- CWE: CWE-841
### Priority
Low
---
---
**Triage notes:** if VOTE is completed then do not allow additional votes on
POST
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
