fix(vulnogram-api): treat non-login 3xx as valid session in probe#196
Merged
Merged
Conversation
`vulnogram-api-check` was returning `error: HTTP 302` whenever `/cve5/new` redirected to a non-login URL. Upstream Vulnogram now 302-redirects `/cve5/new` → `/allocatecve` (the PMC-gated allocation page), and the probe code treated *any* non-OAuth 3xx as an unknown error. The signal `_is_login_redirect` already encodes the only failure mode worth detecting (3xx to `oauth.apache.org` or `/users/login` → session expired). Any *other* 3xx means the app processed the session cookie successfully and chose to redirect to a different authenticated page — the session is valid; only the post-auth landing page changed. This was producing false-negative "expired" diagnoses on adopter machines whose sessions were actually working — `vulnogram-api- record-update` (which hits a different endpoint) kept succeeding, so the `security-issue-sync` skill was incorrectly falling back to the "manual paste required" release-manager hand-off variant on trackers whose CVE JSON had in fact been auto-pushed. Fix: accept any non-login 3xx as `valid`. Added a regression test covering the `/cve5/new` → `/allocatecve` case. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Member
Author
|
Hah !! We have direct pushing of CVE to vulnogram working :) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
vulnogram-api-checkwas returningerror: HTTP 302whenever the probe URL redirected to a non-login destination. Upstream Vulnogram now 302-redirects/cve5/new→/allocatecve(the PMC-gated allocation page), and the probe code treated any non-OAuth 3xx as an unknown error.This was producing false-negative "expired" diagnoses on adopter machines whose sessions were actually working —
vulnogram-api-record-update(which hits a different endpoint) kept succeeding, sosecurity-issue-syncwas incorrectly falling back to the "manual paste required" release-manager hand-off variant on trackers whose CVE JSON had in fact been auto-pushed.Fix
_is_login_redirectalready encodes the only failure mode worth detecting (3xx tooauth.apache.orgor/users/login→ session expired). Any other 3xx means the app processed the session cookie successfully and chose to redirect to a different authenticated page — the session is valid; only the post-auth landing page changed.The fix is a one-line additive condition in
probe()plus a regression test covering the/cve5/new→/allocatecvecase.Diff
tools/vulnogram/oauth-api/src/vulnogram_api/client.pyprobe()accepts non-login 3xx as valid, with docstring explaining why)tools/vulnogram/oauth-api/tests/test_client.pytest_probe_valid_on_non_login_redirect)Test plan
pytest tests/test_client.py— 14 tests pass (was 13 + the new regression test).error: HTTP 302, now returnsvalid(URL redirects to/allocatecveas expected).vulnogram-api-record-updatefor 3 CVEs (CVE-2026-27173,CVE-2026-42359,CVE-2026-42526) — all succeeded, demonstrating that the session is functional and the probe was the false negative.vulnogram-api-checkflips fromerror: HTTP 302→validafter this lands.Why "treat as valid" instead of changing the probe URL
The alternatives considered:
/cve5(dashboard) — would work for now but breaks again the next time Vulnogram reshuffles routing._request— invasive change to_request's contract; other call sites rely on seeing the raw 3xx.🤖 Generated with Claude Code