asf-tooling opened a new issue, #1109: URL: https://github.com/apache/tooling-trusted-releases/issues/1109
**ASVS Level(s):** L2 **Description:** ### Summary The application does not implement any WebSocket Origin header validation mechanism. While no WebSocket endpoints currently exist, the underlying framework (Quart + Hypercorn) supports WebSocket connections natively and does not disable them by default. Future risk is HIGH if WebSocket is added without controls. Potential vulnerabilities include Cross-Site WebSocket Hijacking (CSWSH), data exfiltration, unauthorized actions, and session hijacking. ### Details Gap Analysis: 1. No WebSocket endpoints defined - Zero @app.websocket() decorators across 122 analyzed files 2. No Origin validation framework - No reusable middleware, decorator, or configuration for validating WebSocket Origin headers 3. WebSocket not explicitly disabled - Hypercorn will accept WebSocket upgrade requests by default 4. HTTP security controls don't transfer - The existing Sec-Fetch-Site CSRF protection (in `src/asfquart/generics.py` lines 30, 128) only applies to HTTP POST requests, not WebSocket handshakes Current impact is minimal as no WebSocket endpoints exist. ### Recommended Remediation Three options provided: **Option 1 (Recommended):** Implement reusable WebSocket Origin validation decorator. Create `src/asfquart/websocket.py` with `validate_websocket_origin` decorator that checks Origin header against ALLOWED_ORIGINS set (e.g., https://trusted-releases.apache.org, https://whimsy.apache.org). Reject connections without Origin header or with disallowed origins using `quart.websocket.reject(403)`. **Option 2:** Disable WebSocket at reverse proxy level if not planned. Use Apache httpd.conf with RewriteEngine to block WebSocket upgrade requests. **Option 3:** Configure Hypercorn WebSocket security options including --websocket-max-size and --websocket-ping-interval flags. Implementation steps: 1. Immediate - Document WebSocket security policy in SECURITY.md 2. Short-term - Implement validation decorator and add to code review checklist 3. Long-term - If WebSocket never planned, implement proxy-level block ### Acceptance Criteria - [ ] WebSocket security policy documented - [ ] Origin validation framework implemented OR WebSocket explicitly disabled - [ ] Unit tests for validation logic (if implementing validation) - [ ] Integration tests verifying WebSocket security ### References - Source reports: L2:4.4.2.md - Related findings: FINDING-118, FINDING-231 - ASVS sections: 4.4.2 ### Priority Low --- -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
