[I] Missing `session.check_access()` in multiple route handlers (tooling-trusted-releases)

Mon, 16 Feb 2026 21:42:20 -0800 


andrewmusselman opened a new issue, #656:
URL: https://github.com/apache/tooling-trusted-releases/issues/656

   **Audit refs:** 8.2.1 §2.1, 8.2.2 HIGH-003/004/005, 8.3.1 HIGH-04, 8.1.1 
HIGH-01/HIGH-05
   
   #### Description
   
   Multiple `@get.committer` and `@post.committer` route handlers are missing 
secondary project-level authorization via `session.check_access(project_name)`. 
Authentication confirms the user is an ASF committer, but any committer can 
access any project's resources.
   
   #### Affected routes
   
   | File | Route(s) | Operation |
   |------|----------|-----------|
   | `atr/get/finish.py` | `/finish/<project_name>/<version_name>` | View 
release finish page |
   | `atr/post/finish.py` | `/finish/*` | Finalize releases |
   | `atr/get/distribution.py` | 5 routes: `automate`, `list_get`, `record`, 
`stage_automate`, `stage_record` | View distribution config |
   | `atr/post/distribution.py` | Multiple endpoints | Modify distributions |
   | `atr/get/ignores.py` | `/ignores/<project_name>` | View check ignores |
   | `atr/post/ignores.py` | `/ignores/*` | Modify check ignores |
   | `atr/get/checks.py` | `/checks/<project>/<version>/<revision>` | View 
check results |
   | `atr/get/result.py` | `/result/data/*` | View check result data 
(conditional bypass — also related to open issue #600) |
   | `atr/post/keys.py` | `/keys/import/<project_name>/<version_name>` | Import 
keys |
   
   The correct pattern exists in many other handlers (e.g., `compose.py`, 
`upload.py`, `draft.py`).
   
   #### Recommended fix
   
   Add `await session.check_access(project_name)` at the start of all affected 
handlers. Consider implementing a composite decorator for defense-in-depth:
   
   ```python
   @get.project_committer("/finish/<project_name>/<version_name>")
   # Automatically calls session.check_access(project_name)
   ```
   
   **Note:** `atr/post/ignores.py` also calls `storage.write()` without passing 
the session context (should be `storage.write(session)`).
   
   **CWE:** CWE-862 (Missing Authorization)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to