andrewmusselman opened a new issue, #657: URL: https://github.com/apache/tooling-trusted-releases/issues/657
**Audit refs:** 8.2.1 §2.2, 8.3.1 HIGH-01/HIGH-02 #### Description Two storage layer methods accept a user identifier as a parameter instead of using the authenticated user's identity (`self.__asf_uid`), allowing operations on behalf of arbitrary users. **`atr/storage/writers/ssh.py:42-46`** — `add_key(self, key, asf_uid)`: Creates an SSH key for the parameter `asf_uid` instead of the authenticated user. Contrast with `delete_key()` in the same file, which correctly uses `self.__asf_uid`. **`atr/storage/writers/tokens.py:44-59`** — `add_token(self, uid, ...)`: Creates a PAT for the parameter `uid` and sends a notification email to `[email protected]`. #### Impact Authenticated users could add SSH keys or create API tokens associated with other users' accounts. #### Recommended fix Remove the user ID parameters and use `self.__asf_uid` for tokens; document for ssh, #643 will fix it for ssh: ```python # ssh.py async def add_key(self, key: str) -> str: self.__data.add(sql.SSHKey(fingerprint=..., key=key, asf_uid=self.__asf_uid)) # tokens.py async def add_token(self, token_hash, created, expires, label) -> sql.PersonalAccessToken: pat = sql.PersonalAccessToken(asfuid=self.__asf_uid, ...) ``` **CWE:** CWE-639 | **CVSS:** 7.5+ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
