Handle != 200 responses differently #54
Description
Motivated by apache/tooling-trusted-releases#680
Handle codes like 403 by raising with error handling on the stack trace.
Copying body from ATR issue:
Source: V10.4.2 audit — Observation 2
Description
In src/asfquart/generics.py (line ~69), the OAuth token exchange uses a Python assert statement to verify the response from the authorization server:
assert rv.status == 200, "Could not verify oauth response."assert statements are stripped when Python is run with the -O (optimize) flag. If the application were ever started with optimization enabled, this check would be silently skipped, potentially allowing the OAuth flow to proceed with a failed or malicious token exchange response.
Recommendation
Replace with explicit exception handling:
if rv.status != 200:
return quart.Response(status=403, response="OAuth authentication failed.")Severity
Low — requires the unlikely condition of running with -O, but violates defense-in-depth principles for an authentication-critical code path.