asf-tooling opened a new issue, #955: URL: https://github.com/apache/tooling-trusted-releases/issues/955
**ASVS Level(s):** [L2-only] **Description:** ### Summary SVN export and import operations explicitly disable TLS certificate verification using `--trust-server-cert-failures` flags (unknown-ca, cn-mismatch), accepting any certificate regardless of validity. This completely neutralizes the security benefits of HTTPS encryption, allowing man-in-the-middle attacks on release artifact imports. An attacker with network position could inject malicious code into release artifacts without detection at the transport layer. ### Details **Affected Files and Lines:** - `atr/tasks/svn.py:73-84` - SVN export with disabled cert verification - `atr/tasks/svn.py:93-103` - SVN import with disabled cert verification The `--trust-server-cert-failures` flag explicitly bypasses certificate validation, accepting unknown CAs and certificate name mismatches. This creates a supply chain security vulnerability where artifact integrity depends entirely on post-download verification. ### Recommended Remediation Remove `--trust-server-cert-failures` and `unknown-ca,cn-mismatch` flags from the SVN export command: ```python # Remove these flags: '--trust-server-cert-failures', 'unknown-ca,cn-mismatch' ``` If custom CA is needed for ASF internal infrastructure, configure SVN to trust only that specific CA: ```python '--config-option', 'servers:global:ssl-authority-files=/path/to/asf-ca.pem' ``` This approach maintains security while supporting internal certificate authorities if needed. ### Acceptance Criteria - [ ] Certificate verification flags removed - [ ] SVN operations verify certificates by default - [ ] Custom CA configuration if needed - [ ] Integration test verifies cert validation - [ ] Documentation updated with security rationale - [ ] Unit test verifying the fix ### References - Source reports: L2:12.3.1.md, L2:12.3.3.md - Related findings: None - ASVS sections: 12.3.1, 12.3.3 ### Priority Critical --- -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
