This is an automated email from the ASF dual-hosted git repository. wave pushed a commit to branch prevent-enumeration in repository https://gitbox.apache.org/repos/asf/tooling-trusted-releases.git
commit 198e6b79f7a1e1c83d24b3e065a6dd7d5321721b Author: Dave Fisher <[email protected]> AuthorDate: Tue Jan 20 09:13:57 2026 -0800 Prevent enumeration --- atr/principal.py | 2 +- atr/storage/writers/tokens.py | 6 ++---- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/atr/principal.py b/atr/principal.py index 44b0874..f6aab09 100644 --- a/atr/principal.py +++ b/atr/principal.py @@ -148,7 +148,7 @@ class Committer: ldap_scope="BASE", ) if not (result and (len(result) == 1)): - raise CommitterError(f"User {self.user!r} not found in LDAP") + raise CommitterError(f"Authentication failed") except CommitterError: raise except Exception as ex: diff --git a/atr/storage/writers/tokens.py b/atr/storage/writers/tokens.py index e3ca4cf..89259eb 100644 --- a/atr/storage/writers/tokens.py +++ b/atr/storage/writers/tokens.py @@ -90,10 +90,8 @@ class FoundationCommitter(GeneralPublic): sql.PersonalAccessToken.token_hash == pat_hash, ) ) - if pat is None: - raise storage.AccessError("Invalid PAT") - if pat.expires < datetime.datetime.now(datetime.UTC): - raise storage.AccessError("Expired PAT") + if pat is None or pat.expires < datetime.datetime.now(datetime.UTC): + raise storage.AccessError("Authentication failed") issued_jwt = jwtoken.issue(self.__asf_uid) pat.last_used = datetime.datetime.now(datetime.UTC) await self.__data.commit() --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
