[I] Admin User Impersonation Has No Audit Trail (tooling-trusted-releases)

Mon, 30 Mar 2026 18:33:47 -0700 


asf-tooling opened a new issue, #957:
URL: https://github.com/apache/tooling-trusted-releases/issues/957

   **ASVS Level(s):** [L2-only]
   
   **Description:**
   
   ### Summary
   An administrator can impersonate any user account with zero audit logging. 
The only logging code present was explicitly commented out, and even that would 
have logged to the general log rather than the dedicated audit log. A 
compromised admin account used for malicious impersonation leaves zero forensic 
evidence, violating the fundamental principle that privileged operations must 
be auditable.
   
   ### Details
   **Affected Files and Lines:**
   - `atr/admin/__init__.py:135-165` - User impersonation without audit logging
   
   The impersonation function modifies the session to impersonate another user 
but creates no audit trail. Even the commented-out logging would not have used 
the dedicated audit log infrastructure.
   
   ### Recommended Remediation
   Add explicit audit logging before session modification using 
`storage.audit()`:
   
   ```python
   storage.audit(
       operation='admin_impersonation',
       admin_asf_uid=current_session['uid'],
       target_asf_uid=target_username,
       remote_addr=request.remote_addr,
       user_agent=request.headers.get('User-Agent')
   )
   ```
   
   The audit log entry must be written BEFORE the session cookie is modified to 
ensure the event is captured even if subsequent operations fail.
   
   ### Acceptance Criteria
   - [ ] Audit log entry created before impersonation
   - [ ] Admin UID captured
   - [ ] Target UID captured
   - [ ] Remote address captured
   - [ ] User agent captured
   - [ ] Audit log persisted before session modification
   - [ ] Unit test verifying the fix
   
   ### References
   - Source reports: L2:16.2.1.md
   - Related findings: FINDING-018, FINDING-019
   - ASVS sections: 16.2.1
   
   ### Priority
   Critical
   
   ---
   
   ---
   
   **Related issue:** 
https://github.com/apache/tooling-trusted-releases/issues/666
   
   ---
   
   **Triage notes:** add inline audit_guidance 
https://github.com/apache/tooling-trusted-releases/issues/666


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to