Skip to content

Commit e8410e1

Browse files
authored
Merge pull request #2557 from jku/series/3.1
Release 3.1.1
2 parents f04dc71 + b59bf13 commit e8410e1

File tree

5 files changed

+46
-6
lines changed

5 files changed

+46
-6
lines changed

.github/workflows/_test.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -14,10 +14,10 @@ jobs:
1414
- name: Checkout TUF
1515
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
1616

17-
- name: Set up Python 3.x
17+
- name: Set up Python (oldest supported version)
1818
uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
1919
with:
20-
python-version: 3.x
20+
python-version: 3.8
2121
cache: 'pip'
2222
cache-dependency-path: 'requirements/*.txt'
2323

docs/CHANGELOG.md

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,15 @@
11
# Changelog
22

3+
## v3.1.1
4+
5+
This is a security fix release to address advisory
6+
GHSA-77hh-43cm-v8j6. The issue does **not** affect tuf.ngclient
7+
users, but could affect tuf.api.metadata users.
8+
9+
### Changed
10+
* Added additional input validation to
11+
`tuf.api.metadata.Targets.get_delegated_role()`
12+
313
## v3.1.0
414

515
### Added

tests/test_api.py

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1008,6 +1008,33 @@ def test_get_roles_in_succinct_roles(self) -> None:
10081008
expected_bin_suffix = f"{bin_numer:0{expected_suffix_length}x}"
10091009
self.assertEqual(role_name, f"bin-{expected_bin_suffix}")
10101010

1011+
def test_delegations_get_delegated_role(self) -> None:
1012+
delegations = Delegations({}, {})
1013+
targets = Targets(delegations=delegations)
1014+
1015+
with self.assertRaises(ValueError):
1016+
targets.get_delegated_role("abc")
1017+
1018+
# test "normal" delegated role (path or path_hash_prefix)
1019+
role = DelegatedRole("delegated", [], 1, False, [])
1020+
delegations.roles = {"delegated": role}
1021+
with self.assertRaises(ValueError):
1022+
targets.get_delegated_role("not-delegated")
1023+
self.assertEqual(targets.get_delegated_role("delegated"), role)
1024+
delegations.roles = None
1025+
1026+
# test succinct delegation
1027+
bit_len = 3
1028+
role2 = SuccinctRoles([], 1, bit_len, "prefix")
1029+
delegations.succinct_roles = role2
1030+
for name in ["prefix-", "prefix--1", f"prefix-{2**bit_len:0x}"]:
1031+
with self.assertRaises(ValueError, msg=f"role name '{name}'"):
1032+
targets.get_delegated_role(name)
1033+
for i in range(0, 2**bit_len):
1034+
self.assertEqual(
1035+
targets.get_delegated_role(f"prefix-{i:0x}"), role2
1036+
)
1037+
10111038

10121039
# Run unit test.
10131040
if __name__ == "__main__":

tuf/__init__.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,4 +5,4 @@
55
"""
66

77
# This value is used in the requests user agent.
8-
__version__ = "3.1.0"
8+
__version__ = "3.1.1"

tuf/api/metadata.py

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2044,10 +2044,13 @@ def get_delegated_role(self, delegated_role: str) -> Role:
20442044
if self.delegations is None:
20452045
raise ValueError("No delegations found")
20462046

2047+
role: Optional[Role] = None
20472048
if self.delegations.roles is not None:
2048-
role: Optional[Role] = self.delegations.roles.get(delegated_role)
2049-
else:
2050-
role = self.delegations.succinct_roles
2049+
role = self.delegations.roles.get(delegated_role)
2050+
elif self.delegations.succinct_roles is not None:
2051+
succinct = self.delegations.succinct_roles
2052+
if succinct.is_delegated_role(delegated_role):
2053+
role = succinct
20512054

20522055
if not role:
20532056
raise ValueError(f"Delegated role {delegated_role} not found")

0 commit comments

Comments
 (0)