asf-tooling opened a new issue, #956:
URL: https://github.com/apache/tooling-trusted-releases/issues/956
**ASVS Level(s):** [L2-only]
**Description:**
### Summary
The `/admin/env` endpoint exposes all environment variables including
sensitive credentials (LDAP_BIND_PASSWORD, GITHUB_TOKEN, PUBSUB_PASSWORD,
SVN_TOKEN, DATABASE_URL, JWT signing keys) in plaintext without any redaction.
This contrasts with the `/admin/configuration` endpoint in the same file which
properly implements secret redaction using pattern matching. While admin
authentication is required, this creates an undocumented log broadcast channel
that violates multiple ASVS requirements for secret protection and logging
control.
### Details
**Affected Files and Lines:**
- `atr/admin/__init__.py:320-350` - Environment variable endpoint without
redaction
The endpoint returns all environment variables without filtering, exposing
database credentials, API tokens, and cryptographic keys. This creates
unnecessary risk even with admin authentication, as compromised admin sessions
or logging systems could capture these secrets.
### Recommended Remediation
Apply the same `sensitive_config_patterns` redaction logic used in
`configuration()` to the `env()` endpoint:
```python
sensitive_patterns = ('PASSWORD', 'SECRET', 'TOKEN', 'KEY', 'CREDENTIAL')
for key, value in os.environ.items():
if any(pattern in key.upper() for pattern in sensitive_patterns):
redacted_env[key] = '***REDACTED***'
else:
redacted_env[key] = value
```
Additionally, document this endpoint in the log inventory as a broadcast
channel.
### Acceptance Criteria
- [ ] Sensitive pattern matching implemented
- [ ] Credentials redacted in response
- [ ] Redaction logic matches configuration endpoint
- [ ] Endpoint documented in log inventory
- [ ] Integration test verifies redaction
- [ ] Unit test verifying the fix
### References
- Source reports: L2:13.3.1.md, L2:13.3.2.md, L2:14.1.1.md, L2:16.2.3.md
- Related findings: FINDING-015
- ASVS sections: 13.3.1, 13.3.2, 14.1.1, 16.2.3
### Priority
Critical
---
---
**Triage notes:** possibly remove endpoint
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
