andrewmusselman opened a new issue, #596:
URL: https://github.com/apache/tooling-trusted-releases/issues/596
## Summary
Web sessions can remain valid indefinitely with continued activity. The
application uses sliding session expiration only, with no absolute maximum
lifetime enforced. This allows compromised sessions unlimited exploitation
windows.
## ASVS Requirements
- 7.3.2 - Verify that there is an absolute maximum session lifetime such
that re-authentication is enforced
## Related Audit Reports
- [7.3.2.md](ASVS/reports/44ee502/L1/7.3.2.md) - ASVS-732-CRIT-001
## Affected Files
- `atr/config.py` (lines 70-74) - Missing lifetime configuration
- `atr/server.py` - Session initialization
- `atr/web.py` - `Committer` class lacks age validation
- `typestubs/asfquart/session.pyi` - External library interface
## Current Behavior
```python
# atr/config.py lines 70-74
class AppConfig:
SESSION_COOKIE_SECURE = True
SESSION_COOKIE_HTTPONLY = True
SESSION_COOKIE_SAMESITE = "Strict"
SESSION_COOKIE_NAME = "__Host-session"
# MISSING: No SESSION_PERMANENT_LIFETIME or absolute timeout
# typestubs/asfquart/session.pyi - confirms sliding expiration only
async def read(expiry_time=..., app=...) -> typing.Optional[ClientSession]:
"""Fetches a cookie-based session if found (and valid), and updates the
last access timestamp
for the session."""
...
```
## Risk
- Sessions with continued activity remain valid indefinitely
- Compromised sessions cannot be limited by time-based controls
- Session fixation or hijacking attacks have unlimited exploitation windows
- Violates compliance requirements (PCI-DSS, SOC2, ASVS)
## Recommended Fix
```python
# Option 1: Application-layer enforcement in atr/web.py
from datetime import timedelta, datetime, UTC
from typing import Final
MAX_SESSION_LIFETIME_HOURS: Final[int] = 72
class Committer:
def __init__(self, web_session: session.ClientSession) -> None:
self.session = web_session
self._validate_session_lifetime()
def _validate_session_lifetime(self) -> None:
session_created = getattr(self.session, 'created_at', None)
if session_created is None:
raise base.ASFQuartException("Session expired", errorcode=401)
if (datetime.now(UTC) - session_created) >
timedelta(hours=MAX_SESSION_LIFETIME_HOURS):
raise base.ASFQuartException("Session expired", errorcode=401)
# Option 2: Add to atr/config.py
ABSOLUTE_SESSION_MAX_SECONDS: Final[int] = 28800 # 8 hours
```
## Acceptance Criteria
- [ ] Session creation timestamp stored in session metadata
- [ ] Maximum session lifetime configured (recommend 8 hours)
- [ ] Age validation performed on every authenticated request
- [ ] Expired sessions redirected to login with `?reason=session_expired`
- [ ] Re-authentication enforced after maximum lifetime exceeded
- [ ] Configuration documented in security documentation
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
