asf-tooling opened a new issue, #1011:
URL: https://github.com/apache/tooling-trusted-releases/issues/1011
**ASVS Level(s):** [L2-only]
**Description:**
### Summary
Upload sessions are not scoped to specific project/version combinations,
allowing files staged for one project to be finalized into another if the user
has access to both. Files staged for one project/version could be finalized
into another project/version, potentially mixing release artifacts or
contaminating releases with wrong files.
### Details
Affected locations:
- `atr/post/upload.py` line 107: Stage endpoint doesn't store context
- `atr/post/upload.py` line 39: Finalize endpoint doesn't validate context
The upload session token is used across staging and finalization, but
there's no validation that the files being finalized were staged for the same
project/version combination.
### Recommended Remediation
Store project/version metadata with the upload session and validate in
finalise endpoint. Check that session metadata matches the finalization context
before proceeding:
```python
# In stage endpoint:
session_metadata = {
'project_key': project_key,
'version_key': version_key,
'session_id': upload_session
}
# Store metadata with session
# In finalise endpoint:
session_metadata = get_session_metadata(upload_session)
if session_metadata['project_key'] != project_key or \
session_metadata['version_key'] != version_key:
raise exceptions.BadRequest("Upload session context mismatch")
```
### Acceptance Criteria
- [ ] Upload sessions are scoped to project/version
- [ ] Cross-project finalization is rejected
- [ ] Session metadata is validated during finalization
- [ ] Test cases verify context validation
- [ ] Unit test verifying the fix
### References
- Source reports: L2:2.2.3.md
- Related findings: None
- ASVS sections: 2.2.3
### Priority
Medium
---
---
**Related issue:**
https://github.com/apache/tooling-trusted-releases/issues/968
---
**Triage notes:** related to
https://github.com/apache/tooling-trusted-releases/issues/968
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
