andrewmusselman opened a new issue, #735: URL: https://github.com/apache/tooling-trusted-releases/issues/735
**ASVS Reference:** 7.4.2 **Findings:** 7.4.2-02, 7.4.2-03 ### Description The `is_banned()` function exists in `atr/ldap.py` and correctly checks the `asf-banned` LDAP attribute, but it is **not integrated** into the main authentication flows: - **Cookie session validation** (`atr/blueprints/get.py`, `atr/blueprints/post.py`): The `committer()` decorators read the session cookie and check its validity but never verify the user's LDAP account is still active. - **JWT verification** (`atr/jwtoken.py:verify()`): Only validates cryptographic signature and standard claims — no account status check. This means a disabled account can continue accessing the application for up to 72 hours (cookie sessions) or 30 minutes (JWT). ### Affected Files - `atr/jwtoken.py` — `verify()` needs an account status check - `atr/blueprints/get.py` — `committer()` decorator - `atr/blueprints/post.py` — `committer()` decorator - `atr/ldap.py` — `is_banned()` exists but is unused in auth flow ### Recommendation Add LDAP account status validation to session middleware (e.g., in `validate_session_lifetime()` or a new `before_request` handler). For JWT, consider wrapping `verify()` with an async variant that checks LDAP status, possibly with a short cache to limit LDAP load. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
