This is an automated email from the ASF dual-hosted git repository.
potiuk pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow-steward.git
The following commit(s) were added to refs/heads/main by this push:
new b06cc4a fix(vulnogram-api): treat non-login 3xx as valid session in
probe (#196)
b06cc4a is described below
commit b06cc4a654bb460b7476e7a654686f480e62e631
Author: Jarek Potiuk <[email protected]>
AuthorDate: Sun May 17 17:22:17 2026 +0200
fix(vulnogram-api): treat non-login 3xx as valid session in probe (#196)
`vulnogram-api-check` was returning `error: HTTP 302` whenever
`/cve5/new` redirected to a non-login URL. Upstream Vulnogram now
302-redirects `/cve5/new` → `/allocatecve` (the PMC-gated allocation
page), and the probe code treated *any* non-OAuth 3xx as an unknown
error.
The signal `_is_login_redirect` already encodes the only failure
mode worth detecting (3xx to `oauth.apache.org` or `/users/login` →
session expired). Any *other* 3xx means the app processed the
session cookie successfully and chose to redirect to a different
authenticated page — the session is valid; only the post-auth
landing page changed.
This was producing false-negative "expired" diagnoses on adopter
machines whose sessions were actually working — `vulnogram-api-
record-update` (which hits a different endpoint) kept succeeding,
so the `security-issue-sync` skill was incorrectly falling back to
the "manual paste required" release-manager hand-off variant on
trackers whose CVE JSON had in fact been auto-pushed.
Fix: accept any non-login 3xx as `valid`. Added a regression test
covering the `/cve5/new` → `/allocatecve` case.
Co-authored-by: Claude Opus 4.7 (1M context) <[email protected]>
---
tools/vulnogram/oauth-api/src/vulnogram_api/client.py | 8 +++++++-
tools/vulnogram/oauth-api/tests/test_client.py | 9 +++++++++
2 files changed, 16 insertions(+), 1 deletion(-)
diff --git a/tools/vulnogram/oauth-api/src/vulnogram_api/client.py
b/tools/vulnogram/oauth-api/src/vulnogram_api/client.py
index 23f8bf8..046b068 100644
--- a/tools/vulnogram/oauth-api/src/vulnogram_api/client.py
+++ b/tools/vulnogram/oauth-api/src/vulnogram_api/client.py
@@ -260,6 +260,12 @@ def probe(session: Session, *, section: str = "cve5",
timeout: int = DEFAULT_TIM
Used by :mod:`vulnogram_api.check`. Picks ``/<section>/new`` because
it requires authentication but does no DB writes.
+
+ A non-login redirect (e.g. Vulnogram now 302-redirects ``/cve5/new`` to
+ ``/allocatecve``) means the session was successfully validated by the
+ app — only the post-auth destination changed. Treat any non-login 3xx
+ as ``valid``; pinning the probe URL would otherwise need a sync release
+ every time the Vulnogram app reshuffles its routing.
"""
url = f"https://{session.host}/{section}/new";
try:
@@ -268,6 +274,6 @@ def probe(session: Session, *, section: str = "cve5",
timeout: int = DEFAULT_TIM
return f"error: {e}"
if _is_login_redirect(status, headers):
return "expired"
- if status == 200:
+ if status == 200 or status in (301, 302, 303, 307, 308):
return "valid"
return f"error: HTTP {status}"
diff --git a/tools/vulnogram/oauth-api/tests/test_client.py
b/tools/vulnogram/oauth-api/tests/test_client.py
index d329507..468f194 100644
--- a/tools/vulnogram/oauth-api/tests/test_client.py
+++ b/tools/vulnogram/oauth-api/tests/test_client.py
@@ -239,3 +239,12 @@ def test_probe_unexpected_status():
with _patch_opener(open_fn):
result = probe(_session())
assert result.startswith("error: HTTP 500")
+
+
+def test_probe_valid_on_non_login_redirect():
+ # Vulnogram now 302-redirects /cve5/new to /allocatecve. The redirect is
+ # NOT to oauth.apache.org / /users/login, so it indicates the session
+ # passed auth — only the post-auth landing page changed.
+ open_fn = _fake_open(302, b"", {"Location": "/allocatecve"})
+ with _patch_opener(open_fn):
+ assert probe(_session()) == "valid"
