[I] ALLOW_TESTS Flag Enables Complete Authentication Bypass in Production Worker (tooling-trusted-releases)

Mon, 30 Mar 2026 18:34:40 -0700 


asf-tooling opened a new issue, #976:
URL: https://github.com/apache/tooling-trusted-releases/issues/976

   **ASVS Level(s):** [L2-only]
   
   **Description:**
   
   ### Summary
   The ALLOW_TESTS flag is checked in the worker without verifying the 
application is actually in Debug mode. While `atr/config.py:get()` enforces 
that ALLOW_TESTS can only be True in Debug mode at configuration load time, 
this enforcement occurs during initialization. If the configuration is 
manipulated or misconfigured, the worker will honor the flag regardless of the 
actual Mode. Tasks with `asf_uid='test'` bypass all LDAP authentication, ban 
enforcement, and identity validation.
   
   ### Details
   **Affected Files and Lines:**
   - `atr/worker.py:215-220` - ALLOW_TESTS check without mode verification
   
   The worker checks ALLOW_TESTS but does not verify the application is in 
Debug mode, creating a potential bypass if configuration is manipulated.
   
   ### Recommended Remediation
   Reference mode system directly by importing `config.get_mode()` and only 
allowing test bypass when mode == config.Mode.Debug:
   
   ```python
   # In atr/worker.py
   if config.get_mode() == config.Mode.Debug and config.ALLOW_TESTS:
       if task.asf_uid == 'test':
           # Allow test bypass only in Debug mode
           ...
   ```
   
   Alternatively, enforce ALLOW_TESTS=False in ProductionConfig with 
`__post_init__` validation:
   
   ```python
   # In atr/config.py ProductionConfig
   def __post_init__(self):
       if self.ALLOW_TESTS:
           raise RuntimeError("ALLOW_TESTS cannot be enabled in Production 
mode")
   ```
   
   ### Acceptance Criteria
   - [ ] Mode check added to worker
   - [ ] Test bypass only in Debug mode
   - [ ] ProductionConfig validation considered
   - [ ] Configuration manipulation prevented
   - [ ] Integration test verifies enforcement
   - [ ] Unit test verifying the fix
   
   ### References
   - Source reports: L2:13.4.2.md
   - Related findings: FINDING-045
   - ASVS sections: 13.4.2
   
   ### Priority
   High
   
   ---
   
   ---
   
   **Related issue:** 
https://github.com/apache/tooling-trusted-releases/issues/944


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to