andrewmusselman opened a new issue, #654:
URL: https://github.com/apache/tooling-trusted-releases/issues/654
**Audit refs:** 8.1.1 CRITICAL-01, 8.3.1 HIGH-03
#### Description
The `send()` function in `atr/tasks/message.py` (lines 40โ57) allows user
impersonation. When the `email_sender` argument lacks an `@` character, the
code logs a warning but **continues execution** using the raw value as an ASF
UID. This allows an attacker to invoke `storage.write("admin")` with an
arbitrary identity.
#### Attack vector
1. Task is called with `email_sender="admin"` (no `@` symbol)
2. Code hits the warning branch but proceeds with `sender_asf_uid = "admin"`
3. `storage.write("admin")` executes with the impersonated identity
#### Affected code
```python
# atr/tasks/message.py:40-57
if "@" not in args.email_sender:
log.warning(f"Invalid email sender: {args.email_sender}")
sender_asf_uid = args.email_sender # โ Continues with arbitrary value
```
#### Recommended fix
Reject invalid senders immediately rather than continuing:
```python
if "@" not in args.email_sender or not
args.email_sender.endswith("@apache.org"):
raise SendError(f"Invalid email sender: {args.email_sender}")
sender_asf_uid = args.email_sender.split("@")[0]
```
Additionally, `recipient_domain == f"{sender_asf_uid}@apache.org"` on line
44 compares a domain to a full email address and always evaluates to `False`
(logic bug โ see 8.2.1 ยง2.12).
**CWE:** CWE-287 (Improper Authentication) | **CVSS:** 9.1
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
