andrewmusselman commented on issue #659:
URL:
https://github.com/apache/tooling-trusted-releases/issues/659#issuecomment-3912441321
Related, same fix:
# Debug mode session cache bypasses LDAP validation
**Audit refs:** 8.1.1 HIGH-04
#### Description
`atr/principal.py:236-251` — in Debug mode, authorization data is loaded
from a session cache file, bypassing LDAP validation entirely. Committee
memberships and project access are read from user-controlled file contents.
```python
if config.get_mode() == config.Mode.Debug:
session_cache = await util.session_cache_read()
if asf_uid in session_cache:
committees = frozenset(cached_session.get("pmcs", [])) #
File-controlled
projects = frozenset(cached_session.get("projects", []))
```
#### Recommended fix
Combine the config flag with environment verification. Ensure debug-only
code paths cannot execute in production deployments through runtime checks.
**CWE:** CWE-287
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
