andrewmusselman opened a new issue, #546:
URL: https://github.com/apache/tooling-trusted-releases/issues/546
## Summary
Authentication error messages reveal whether users exist or tokens are
expired vs invalid, enabling enumeration attacks.
## ASVS Requirements
- 6.2.3 - No user enumeration from errors
## Related Audit Reports
- [Credential Integrity #406](ASVS/credential-integrity-406.md) - Issue 2
## Affected Files
- `atr/principal.py:150-151`
- `atr/storage/writers/tokens.py:93-97`
## Current Behavior
```python
# principal.py
raise CommitterError(f"User {self.user!r} not found in LDAP")
# tokens.py
if pat is None:
raise storage.AccessError("Invalid PAT")
if pat.expires < datetime.datetime.now(datetime.UTC):
raise storage.AccessError("Expired PAT") # Reveals token exists!
```
## Recommended Fix
```python
# principal.py
raise CommitterError("Authentication failed")
# tokens.py - combine checks
if pat is None or pat.expires < datetime.datetime.now(datetime.UTC):
raise storage.AccessError("Authentication failed")
```
## Acceptance Criteria
- [ ] Generic "Authentication failed" message for all auth failures
- [ ] No differentiation between non-existent and expired credentials
- [ ] Rate limiting to prevent timing attacks
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
