asf-tooling opened a new issue, #973:
URL: https://github.com/apache/tooling-trusted-releases/issues/973
**ASVS Level(s):** [L1]
**Description:**
### Summary
The application allows committee members to delete or update check result
ignores by numeric ID without verifying the ignore record belongs to the
authorized project. A single committee can manage multiple projects. The
authorization check validates committee membership, but the storage layer's
`ignore_delete(id)` and `ignore_update(id, ...)` methods accept only the
integer id parameter without verifying the ignore record's project_key matches
the authorized project.
### Details
**Affected Files and Lines:**
- `atr/post/ignores.py:68` - ignore_delete without project verification
- `atr/post/ignores.py:80` - ignore_update without project verification
- `atr/api/__init__.py:274` - API endpoint with same issue
- `atr/storage/writers/checks.py` - Storage layer without project scoping
An attacker with access to one project can manipulate ignore records for any
project managed by their committee by guessing or enumerating ignore IDs.
### Recommended Remediation
Add `project_key` parameter to `ignore_delete()` and `ignore_update()`
methods in storage layer:
```python
# In atr/storage/writers/checks.py
def ignore_delete(self, ignore_id: int, project_key: str) -> None:
"""Delete ignore record with project verification."""
# Validate project is in committee
self.__validate_project_in_committee(project_key)
# Fetch ignore with project filter
ignore = self.__db_session.query(sql.CheckIgnore).filter_by(
id=ignore_id,
project_key=project_key
).first()
if not ignore:
raise ValueError("Ignore record not found or access denied")
self.__db_session.delete(ignore)
```
Update all callers to pass `project_key` parameter. Apply same pattern to
`ignore_update()`.
### Acceptance Criteria
- [ ] project_key parameter added to methods
- [ ] Project validation in storage layer
- [ ] Query filters include project_key
- [ ] All callers updated
- [ ] Integration test verifies IDOR prevention
- [ ] Unit test verifying the fix
### References
- Source reports: L1:8.2.2.md
- Related findings: FINDING-040
- ASVS sections: 8.2.2
### Priority
High
---
---
**Triage notes:** confirm
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
