asf-tooling opened a new issue, #1017:
URL: https://github.com/apache/tooling-trusted-releases/issues/1017
**ASVS Level(s):** [L2-only]
**Description:**
### Summary
The application runs behind a reverse proxy (`ProxyFixMiddleware` at line
93-94 of server.py), but has no application-level code to reject or
differentiate HTTP requests arriving at API endpoints (/api/*). All HTTP→HTTPS
redirect behavior is delegated entirely to the frontend proxy. If the proxy
applies a blanket HTTP→HTTPS redirect to all paths (a common default
configuration), API clients that erroneously send credentials, JWTs, or
sensitive data over HTTP would be silently redirected to HTTPS, masking the
data leakage. This violates the core principle of ASVS 4.1.2: API endpoints
should fail loudly on HTTP to alert developers of misconfiguration, not
silently redirect.
### Details
Affected locations:
- `atr/server.py` lines 91-94: ProxyFixMiddleware configuration
- `atr/blueprints/api.py` lines 124-128: API blueprint
- `atr/server.py` lines 491-502: Server startup
Impact: API clients sending sensitive data (PATs, JWTs, SSH keys, OpenPGP
keys) over HTTP would have their credentials exposed in plaintext. A
transparent redirect masks this, giving false confidence that the communication
was secure.
Affected endpoints include:
- POST /api/jwt/create (sends PAT credentials)
- POST /api/key/add (sends OpenPGP key material)
- POST /api/release/upload (sends release artifacts)
- POST /api/ssh-key/add (sends SSH key material)
- POST /api/distribute/ssh/register (sends SSH key + JWT)
### Recommended Remediation
Add an API-specific before_request hook that rejects non-HTTPS requests:
```python
# atr/blueprints/api.py
@_BLUEPRINT.before_request
async def _enforce_https() -> quart.Response | None:
"""Reject API requests that arrive over plaintext HTTP (ASVS 4.1.2).
User-facing endpoints may redirect HTTP→HTTPS at the proxy level,
but API endpoints must not silently redirect — they should fail loudly
so that misconfigured clients are made aware of data leakage.
"""
if not quart.request.is_secure:
return quart.jsonify({
"error": "HTTPS required",
"detail": "API requests must use HTTPS. Do not rely on
HTTP-to-HTTPS redirects.",
}), 421 # 421 Misdirected Request
```
### Acceptance Criteria
- [ ] API endpoints reject HTTP requests with 421 status
- [ ] HTTPS enforcement is explicit, not proxy-dependent
- [ ] Error message guides developers to fix client configuration
- [ ] Test cases verify HTTP rejection
- [ ] Unit test verifying the fix
### References
- Source reports: L2:4.1.2.md
- Related findings: FINDING-228
- ASVS sections: 4.1.2
### Priority
Medium
---
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
