andrewmusselman opened a new issue, #700:
URL: https://github.com/apache/tooling-trusted-releases/issues/700
**ASVS:** 15.3.1 · Finding 2
**Severity:** HIGH
**CWE:** CWE-200 (Exposure of Sensitive Information)
### Description
Methods in `atr/storage/readers/tokens.py` (lines 44–55) and
`atr/storage/writers/tokens.py` (lines 47–60) return full `PersonalAccessToken`
SQL model objects including the `token_hash` field. While these are hashed
values, exposing them enables offline brute-force attacks against tokens.
```python
async def own_personal_access_tokens(self) -> list[sql.PersonalAccessToken]:
stmt = sqlmodel.select(sql.PersonalAccessToken) # Selects ALL columns
return await self.__data.query_all(stmt) # Returns full objects
including token_hash
```
> **Note:** This is distinct from open issue #598 (invalidate PATs on
account disable). That addresses lifecycle management; this addresses data
exposure.
### Recommendation
Create a safe DTO that explicitly excludes `token_hash`:
```python
class PersonalAccessTokenSafe(pydantic.BaseModel):
id: int
asfuid: str
created: datetime.datetime
expires: datetime.datetime
label: str | None
last_used: datetime.datetime | None
# Explicitly excludes: token_hash
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
