asf-tooling opened a new issue, #1027:
URL: https://github.com/apache/tooling-trusted-releases/issues/1027
**ASVS Level(s):** [L1]
**Description:**
### Summary
The admin blueprint provides two route decorators: 'typed' decorator which
calls `authenticate()` including LDAP active account check, and 'post'
decorator which uses `_check_admin_access()` that validates admin status but
NOT LDAP account status. The `_check_admin_access()` before_request hook
validates that the user has a valid session cookie and is in the admin list,
but does not call `ldap.is_active()` to verify the account is still active.
Manual code review indicates no current admin routes use the 'post' decorator,
making this a latent vulnerability that creates false confidence for future
development. If admin routes use the 'post' decorator, deactivated LDAP
accounts could continue performing privileged operations for up to 72 hours.
### Details
Affected locations:
- `atr/blueprints/admin.py` lines 23-31: post decorator definition
- `atr/blueprints/admin.py` lines 146-155: _check_admin_access() without
LDAP check
- `atr/blueprints/admin.py` lines 87-89: typed decorator calls authenticate()
The `_check_admin_access()` function validates session and admin status but
skips LDAP account status verification.
### Recommended Remediation
Update `_check_admin_access()` to call `common.authenticate()` which
includes LDAP validation, or deprecate the post decorator entirely.
**Recommended:** Modify `_check_admin_access()` to call
`common.authenticate()` instead of directly reading the session:
```python
async def _check_admin_access() -> None:
"""Verify user is authenticated admin with active LDAP account."""
# Use common.authenticate() which includes LDAP check
session = await common.authenticate()
# Verify admin status
if session.uid not in config.get().ADMINS:
raise exceptions.Forbidden("Admin access required")
```
**Additionally:** Add documentation warning against using post decorator, or
remove it entirely if not needed.
### Acceptance Criteria
- [ ] Admin post decorator includes LDAP account status check
- [ ] Deactivated accounts cannot use admin routes
- [ ] Documentation warns against post decorator or it's removed
- [ ] Test cases verify LDAP check for admin routes
- [ ] Unit test verifying the fix
### References
- Source reports: L1:7.4.1.md
- Related findings: FINDING-247
- ASVS sections: 7.4.1
### Priority
Medium
---
---
**Triage notes:** clean up
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
