andrewmusselman opened a new issue, #736: URL: https://github.com/apache/tooling-trusted-releases/issues/736
**ASVS References:** 7.4.1, 7.4.2 **Findings:** 7.4.1-MEDIUM-001, 7.4.1-MEDIUM-002, 7.3.2-2.3, 7.4.2-07 ### Description Two caches persist stale data after session termination: 1. **Authorization cache** (`atr/principal.py`): A global in-memory cache with a 600-second (10-minute) TTL stores user committee memberships and project participations. When a session is terminated (logout or expiration), the cache is **not** invalidated. A user who logs out and logs back in within 10 minutes could retain stale permissions. 2. **Session file cache** (`atr/util.py`): A JSON file (`user_session_cache.json`) stores session data for SSH/rsync authentication. It has no TTL, no expiration metadata, and no integration with the logout flow. Data persists across application restarts. ### Affected Files - `atr/principal.py` — `Cache` class lacks an `invalidate()` method - `atr/util.py` — `session_cache_read()` / `session_cache_write()` lack expiration and invalidation - `atr/server.py` — `validate_session_lifetime()` clears the session but not the caches ### Recommendation 1. Add a `Cache.invalidate(asf_uid)` method to `atr/principal.py` that removes all cached entries for a user. 2. Add a `session_cache_invalidate(user_id)` function to `atr/util.py`. 3. Call both on logout, session expiration, and account disable events. 4. Add TTL/timestamp metadata to session file cache entries. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
