asf-tooling opened a new issue, #992: URL: https://github.com/apache/tooling-trusted-releases/issues/992
**ASVS Level(s):** [L2-only] **Description:** ### Summary Multiple form fields use plain `str` type instead of applying the existing SafeType validation system. Hidden form fields and admin inputs accept arbitrary strings without character allowlists, violating the principle that all user-controllable input should be validated regardless of UI context. This is particularly concerning for hidden form fields which are user-controllable despite being hidden in the UI. ### Details Affected locations include: - `atr/shared/ignores.py` lines 61-82: UpdateIgnoreForm.revision_number uses plain str - `atr/shared/projects.py` line 26: AddProjectForm.committee_key uses plain str - `atr/admin/__init__.py` various locations: Admin form UIDs lack validators The codebase has well-designed safe types (e.g., `safe.RevisionNumber`, `safe.CommitteeKey`) but they are not consistently applied. ### Recommended Remediation Apply safe types consistently: - UpdateIgnoreForm.revision_number should use `safe.OptionalRevisionNumber` - AddProjectForm.committee_key should use `safe.CommitteeKey` - Admin form UIDs should have validators checking `^[-_a-z0-9]+$` pattern with max length 64 ### Acceptance Criteria - [ ] All identified form fields use appropriate SafeType validators - [ ] Hidden form fields apply the same validation as visible fields - [ ] Admin form UIDs enforce alphanumeric-dash-underscore pattern - [ ] Unit tests verify validation is applied to all form fields ### References - Source reports: L2:1.3.3.md - Related findings: FINDING-211 - ASVS sections: 1.3.3 ### Priority Medium --- -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
