asf-tooling opened a new issue, #952:
URL: https://github.com/apache/tooling-trusted-releases/issues/952
**ASVS Level(s):** [L1]
**Description:**
### Summary
The `validate_session_lifetime()` function runs as a `@app.before_request`
hook on every HTTP request but only validates session age (created_at
timestamp), not LDAP account status. The `ldap.is_active()` control exists and
is used in `authenticate()` for specific routes, but is not called in this
global hook. This creates inconsistent protection where some routes check
account status via `authenticate()` while others rely solely on the global hook
which only validates session age, leading to false security confidence.
### Details
**Affected Files and Lines:**
- `atr/server.py:308-331` - validate_session_lifetime() without account
status check
The infrastructure for global validation exists but the critical account
status check is missing. This means disabled accounts can continue to access
routes that don't explicitly call `authenticate()`, creating an authorization
bypass.
### Recommended Remediation
Add periodic account status revalidation to `validate_session_lifetime()`
hook with caching to balance security vs LDAP load:
```python
# atr/server.py - in validate_session_lifetime() hook
ACCOUNT_CHECK_INTERVAL = 300 # 5 minutes
if session_data:
account_checked_at = session_data.get('account_checked_at', 0)
current_time = time.time()
if current_time - account_checked_at > ACCOUNT_CHECK_INTERVAL:
if not ldap.is_active(session_data['uid']):
log.info('session_invalidated_account_disabled',
extra={'asf_uid': session_data['uid']})
asfquart.session.clear()
return quart.redirect('/auth?reason=account_disabled')
session_data['account_checked_at'] = current_time
asfquart.session.write(session_data)
```
### Acceptance Criteria
- [ ] Account status check added to global hook
- [ ] Caching mechanism prevents LDAP overload
- [ ] Session cleared when account disabled
- [ ] User redirected with appropriate message
- [ ] Last check timestamp stored in session
- [ ] Unit test verifying the fix
### References
- Source reports: L1:7.4.2.md
- Related findings: FINDING-006, FINDING-129
- ASVS sections: 7.4.2
### Priority
Critical
---
---
**Related issue:**
https://github.com/apache/tooling-trusted-releases/issues/731
---
**Triage notes:** attach to session store - validate_session_lifetime won't
be needed when we use update to asfquart
https://github.com/apache/tooling-trusted-releases/issues/731
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
