[I] Committee Key Bulk Deletion Bypasses Storage Layer and Audit (tooling-trusted-releases)

Mon, 30 Mar 2026 18:33:48 -0700 


asf-tooling opened a new issue, #958:
URL: https://github.com/apache/tooling-trusted-releases/issues/958

   **ASVS Level(s):** [L2-only]
   
   **Description:**
   
   ### Summary
   The admin route directly uses `db.session()` to delete committee signing 
keys, bypassing both the storage layer's authorization framework and its audit 
logging. The storage interface documentation explicitly warns against this 
pattern. Bulk deletion of committee signing keys — which are critical for 
release artifact verification — leaves no audit trail, making it impossible to 
investigate security incidents or track key lifecycle.
   
   ### Details
   **Affected Files and Lines:**
   - `atr/admin/__init__.py:290-340` - Committee key deletion with direct DB 
access
   
   The function performs bulk deletion directly through the database session, 
completely bypassing the storage layer that provides authorization checks and 
audit logging. This violates documented architectural patterns.
   
   ### Recommended Remediation
   **Option A (Recommended):** Use storage layer instead of direct DB access:
   
   ```python
   for key in keys_to_delete:
       wafa.keys.delete_key(key.fingerprint)
   ```
   
   **Option B:** If storage layer cannot be used, add explicit audit logging:
   
   ```python
   storage.audit(
       operation='committee_keys_bulk_delete',
       admin_asf_uid=session['uid'],
       committee_key=committee_key,
       keys_deleted=len(keys_to_delete),
       fingerprints=[k.fingerprint for k in keys_to_delete]
   )
   ```
   
   ### Acceptance Criteria
   - [ ] Storage layer used for deletions OR
   - [ ] Explicit audit logging implemented
   - [ ] Admin UID captured
   - [ ] Committee key captured
   - [ ] Deleted key fingerprints captured
   - [ ] Unit test verifying the fix
   
   ### References
   - Source reports: L2:16.2.1.md
   - Related findings: FINDING-017, FINDING-019
   - ASVS sections: 16.2.1
   
   ### Priority
   Critical
   
   ---
   
   ---
   
   **Triage notes:** combine with 009


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to