andrewmusselman opened a new issue, #674:
URL: https://github.com/apache/tooling-trusted-releases/issues/674
**ASVS Requirement:** 9.2.1 — Token Validity Time Span Verification
**Severity:** Low
**CWE:** CWE-613 (Insufficient Session Expiration)
### Description
In `atr/ssh.py:136-149`, the SSH workflow key validation checks that the key
has not expired (`workflow_key.expires < now`) but does not check a not-before
timestamp. If the data model supports (or will support) a `not_before` field,
keys could be accepted before their intended activation time.
### Recommended fix
1. Document in-line with prefixed comment: this is not a concern for this
application
2. Inform prompt about prefixed comments
If the workflow key model has or gains a `not_before` field, add a check:
```python
if hasattr(workflow_key, 'not_before') and workflow_key.not_before is not
None:
if now < workflow_key.not_before:
return False
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
