asf-tooling opened a new issue, #967:
URL: https://github.com/apache/tooling-trusted-releases/issues/967
**ASVS Level(s):** [L2-only]
**Description:**
### Summary
Vote resolution lacks optimistic locking, allowing duplicate preview
revisions and inconsistent state transitions. The functions
`resolve_manually()` and `resolve_release()` use direct ORM attribute
modification without WHERE phase guards, enabling race conditions where
concurrent vote resolutions can create duplicate preview revisions, conflicting
vote resolutions, or duplicate podling vote initiations to external systems.
### Details
**Affected Files and Lines:**
- `atr/storage/writers/vote.py:127-160` - resolve_manually() without
optimistic locking
- `atr/storage/writers/vote.py:180-230` - resolve_release() without
optimistic locking
The functions modify release phase and perform side effects without atomic
phase transitions, allowing race conditions in concurrent operations.
### Recommended Remediation
Apply the existing optimistic locking pattern from `promote_to_candidate()`:
```python
# In resolve_manually()
result = db_session.execute(
update(sql.Release)
.where(sql.Release.key == release_key)
.where(sql.Release.phase == 'RELEASE_CANDIDATE') # WHERE phase guard
.values(phase=new_phase)
)
if result.rowcount != 1:
db_session.rollback()
raise ConcurrentModificationError("Release phase changed during
resolution")
# Only proceed with create_revision_with_quarantine() after confirmed phase
transition
```
For `resolve_release()` with podling voting, add WHERE `podling_thread_id IS
NULL` guard to prevent duplicate Incubator PMC vote initiation.
### Acceptance Criteria
- [ ] Optimistic locking applied to resolve_manually()
- [ ] Optimistic locking applied to resolve_release()
- [ ] WHERE phase guards implemented
- [ ] Rowcount checked after update
- [ ] Side effects only after confirmed transition
- [ ] Unit test verifying the fix
### References
- Source reports: L2:2.3.4.md
- Related findings: FINDING-106
- ASVS sections: 2.3.4
### Priority
High
---
---
**Triage notes:** review two-phase voting for podlings
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
