andrewmusselman opened a new issue, #665: URL: https://github.com/apache/tooling-trusted-releases/issues/665
**Audit refs:** 8.1.1 MEDIUM-02, 8.2.1 §2.7 #### Description `atr/get/download.py:52-78` — the public download endpoint (`/download/path/...`) allows unauthenticated access to files from releases in **any phase**, including `RELEASE_CANDIDATE_DRAFT`. A comment in the code confirms this is intentional: `# We allow downloading files from any phase`. Attackers could monitor draft releases to discover vulnerabilities before patches are officially announced. **Note:** The related issue #597 (Add project-level authorization to `/published/` endpoint) was closed as "not planned." This issue covers a different endpoint (`/download/path/`) with a different risk profile (unauthenticated public access vs. committer-only debug route). #### Recommended fix 1. Add a prefixed comment documenting this 2. Add prefixed comment sensibility to prompt **CWE:** CWE-285 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
