asf-tooling opened a new issue, #962:
URL: https://github.com/apache/tooling-trusted-releases/issues/962
**ASVS Level(s):** [L1]
**Description:**
### Summary
The form-based endpoint for editing vote policy bypasses the minimum hours
range validation (72-144 hours or 0) that is correctly applied to the API
endpoint. The validation function `_validate_min_hours()` exists in the policy
layer but is not called when editing policies via the web form. This allows
committee members to set voting periods that violate policy-mandated minimums
via the web interface, potentially enabling governance bypass through extremely
short or long voting periods.
### Details
**Affected Files and Lines:**
- `atr/storage/writers/policy.py:220-236` - API path with validation
- `atr/storage/writers/policy.py:238-252` - Web form path without validation
The validation function exists and is correctly applied in the API path, but
the web form endpoint directly assigns values without calling the validation
function.
### Recommended Remediation
Add `_validate_min_hours()` call in `__set_min_hours()` before assignment to
enforce the 72-144 hour range (or 0) requirement:
```python
def __set_min_hours(self, value: int) -> None:
"""Set minimum hours with validation."""
validated_value = _validate_min_hours(value)
self.release_policy.min_hours = validated_value
```
Ensure validation is consistently applied across both web form and API
endpoints.
### Acceptance Criteria
- [ ] Validation function called in web form path
- [ ] 72-144 hour range enforced
- [ ] Zero value allowed (disable minimum)
- [ ] Invalid values rejected
- [ ] Error messages displayed to user
- [ ] Unit test verifying the fix
### References
- Source reports: L1:2.2.1.md
- Related findings: FINDING-021, FINDING-089, FINDING-003
- ASVS sections: 2.2.1
### Priority
High
---
---
### Consolidated: FINDING-026 - Vote Duration Not Validated Against Policy
Minimum at Vote Start
**ASVS Level(s):** [L2-only]
**Description:**
### Summary
When starting a vote, the user-supplied `vote_duration` is not validated
against the project's configured `min_hours` policy. The validation function
`_validate_min_hours()` exists in the policy module but is only called when
editing policies, not when starting votes. This allows committee members to
circumvent configured minimum voting periods, bypassing ASF voting policy
requirements and potentially invalidating the vote.
### Details
**Affected Files and Lines:**
- `atr/storage/writers/vote.py:80-130` - vote.start() without duration
validation
- `atr/post/voting.py:77-132` - Vote start handler
The validation function exists but is not applied when votes are initiated,
allowing users to specify durations shorter than the policy minimum.
### Recommended Remediation
Add validation in `vote.start()` to check that `vote_duration_choice >=
policy.min_hours` before creating the vote task:
```python
# Fetch release with policy information
release = db_session.get(sql.Release, release_key)
policy = release.project.policy
# Validate duration against policy
if policy.min_hours > 0 and vote_duration_choice < policy.min_hours:
raise storage.AccessError(
f"Vote duration ({vote_duration_choice}h) is below policy minimum
({policy.min_hours}h)"
)
```
Fetch release with policy information and compare user-supplied duration
against minimum. Raise `storage.AccessError` if duration is below minimum.
### Acceptance Criteria
- [ ] Duration validated against policy minimum
- [ ] AccessError raised for invalid durations
- [ ] Error message includes policy requirement
- [ ] Integration test verifies enforcement
- [ ] All vote start paths validated
- [ ] Unit test verifying the fix
### References
- Source reports: L2:2.3.2.md
- Related findings: FINDING-003, FINDING-022
- ASVS sections: 2.3.2
### Priority
High
---
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
