[I] API Policy Update Bypasses Form-Level Business Validation (tooling-trusted-releases)

Mon, 30 Mar 2026 18:35:27 -0700 


asf-tooling opened a new issue, #999:
URL: https://github.com/apache/tooling-trusted-releases/issues/999

   **ASVS Level(s):** [L1]
   
   **Description:**
   
   ### Summary
   The `PolicyUpdateArgs` Pydantic model used by the API endpoint lacks 
business validation rules that are present in the corresponding web form 
models. Missing validations include: min_hours range (72-144 or 0), 
github_repository_name slash rejection, workflow path prefix checks, and 
mailto_addresses email format validation. This creates inconsistency where API 
users bypass validation that web form users receive.
   
   ### Details
   Affected location: `atr/models/api.py` lines 180-220
   
   API users can submit policy updates that would be rejected through the web 
form, including:
   - Invalid min_hours values outside allowed range
   - GitHub repository names with slashes
   - Invalid workflow paths
   - Malformed email addresses
   
   ### Recommended Remediation
   Add a Pydantic `model_validator` to `PolicyUpdateArgs` class that enforces 
all business validation rules present in the form models:
   
   ```python
   @pydantic.model_validator(mode='after')
   def validate_policy_args(self) -> 'PolicyUpdateArgs':
       if self.min_hours is not None:
           if self.min_hours != 0 and not (72 <= self.min_hours <= 144):
               raise ValueError("min_hours must be 0 or between 72-144")
       
       if self.github_repository_name and '/' in self.github_repository_name:
           raise ValueError("github_repository_name cannot contain slashes")
       
       # Add other validations matching form models
       return self
   ```
   
   ### Acceptance Criteria
   - [ ] API model enforces same validation as web forms
   - [ ] Invalid policy values are rejected via API
   - [ ] Test cases verify all validation rules
   - [ ] Unit test verifying the fix
   
   ### References
   - Source reports: L1:2.2.1.md
   - Related findings: FINDING-021, FINDING-022
   - ASVS sections: 2.2.1
   
   ### Priority
   Medium
   
   ---


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to