asf-tooling opened a new issue, #975:
URL: https://github.com/apache/tooling-trusted-releases/issues/975
**ASVS Level(s):** [L1, L2]
**Description:**
### Summary
Multiple GET endpoint handlers that display project-specific data fail to
verify that the authenticated user has access to the requested project. While
authentication is enforced (all require web.Committer session), authorization
is missing, allowing any ASF committer to view data for projects they are not
associated with. Affected endpoints include file viewing, distribution listing,
check reports, SBOM reports, and revision checks. These endpoints allow access
to file listings, file contents, security analysis results, CVE identifiers,
vulnerability severity, dependency licenses, and detailed check results from
any project's releases (including draft releases not yet public).
### Details
**Affected Files and Lines:**
- `atr/get/file.py:36` - file_list without access check
- `atr/get/file.py:41` - file_view without access check
- `atr/get/file.py:73` - file_download without access check
- `atr/get/file.py:109` - file_download_archive without access check
- `atr/get/file.py:30-102` - Multiple functions without authorization
- `atr/get/file.py:105-169` - Multiple functions without authorization
- `atr/get/distribution.py:38` - distributions without access check
- `atr/get/distribution.py:48` - distribution_create without access check
- `atr/get/checks.py:88` - checks without access check
- `atr/get/checks.py:101` - checks_selected without access check
- `atr/get/report.py:30` - report without access check
- `atr/get/report.py:36` - report_revision without access check
- `atr/get/sbom.py:48` - sbom_report without access check
- `atr/get/sbom.py:40` - sbom_list without access check
- `atr/get/projects.py:125` - revision_checks without access check
These endpoints authenticate users but do not authorize access to specific
projects, allowing cross-project data access.
### Recommended Remediation
Add `await session.check_access(project_key)` at the beginning of each
affected function before processing project-specific data:
```python
async def file_list(
session: web.Committer,
project_key: safe.ProjectKey,
...
) -> web.ElementResponse:
"""Display file list for a release."""
await session.check_access(project_key) # ADD THIS
# ... rest of function
```
This applies the same authorization pattern successfully used in other GET
endpoints like start.py, upload.py, revisions.py, voting.py, manual.py,
finish.py, ignores.py, and result.py. Add integration tests verifying
authorization for each endpoint.
### Acceptance Criteria
- [ ] Authorization check added to all affected endpoints
- [ ] session.check_access(project_key) called first
- [ ] Cross-project access prevented
- [ ] Integration tests verify authorization
- [ ] All GET endpoints reviewed
- [ ] Unit test verifying the fix
### References
- Source reports: L1:8.2.1.md, L1:8.2.2.md, L1:8.3.1.md
- Related findings: FINDING-139
- ASVS sections: 8.2.1, 8.2.2, 8.3.1
### Priority
High
---
---
**Triage notes:** atr/docs and audit_guidance about the special stance we
have as an open software group, allowing this intentionally
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
