Skip to content

Enforce HTTPS-only for SVN PubSub listener URL in atr/svn/pubsub.py #685

New issue
New issue
Open
Open
Enforce HTTPS-only for SVN PubSub listener URL in atr/svn/pubsub.py#685
Labels
ASVSAnything related to ASVS requirementsL1ASVS L1 requirementsecurityIssues related to security posture
@andrewmusselman

Description

@andrewmusselman
andrewmusselman
opened on Feb 17, 2026

ASVS Requirements: V12.2.1, V12.2.2
CWE: CWE-319 (Cleartext Transmission of Sensitive Information)
Severity: MEDIUM
File: atr/svn/pubsub.py (lines ~54–58)

Description

The PubSub listener URL validation accepts both http:// and https:// schemes, despite the error message suggesting HTTPS is expected. Commit notifications and credentials (used on lines ~69–70) could be transmitted in cleartext if an HTTP URL is configured.

Current code

if not self.url.startswith(("http://", "https://")):
    log.error(
        f"Invalid PubSub URL: {self.url!r}. Expected full URL like 'https://pubsub.apache.org:2069'",
    )

Recommended fix for when we start to use PubSub

if not self.url.startswith("https://"):
    log.error(
        f"PubSub URL must use HTTPS: {self.url!r}. Example: 'https://pubsub.apache.org:2069'",
    )
    log.warning("SVNListener disabled: only HTTPS URLs are permitted")
    return

Metadata

Metadata

Assignees

No one assigned

    Labels

    ASVSAnything related to ASVS requirementsL1ASVS L1 requirementsecurityIssues related to security posture

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions