asf-tooling opened a new issue, #1037:
URL: https://github.com/apache/tooling-trusted-releases/issues/1037
**ASVS Level(s):** [L2-only]
**Description:**
### Summary
Three admin pages use `template.blank()` rendering method whose
implementation was not provided in the audit scope, making it unclear whether
they include the logout button. If `template.blank()` does not extend
`base.html` or include `topnav.html`, authenticated admin users on these pages
will have no visible logout mechanism, directly violating ASVS 7.4.4. Users
would need to navigate to another page, manually visit `/auth?logout`, or close
the browser to terminate their session.
### Details
Affected locations:
- `atr/admin/__init__.py` line 885: tasks_recent uses template.blank()
- `atr/admin/__init__.py` line 1157: _rotate_jwt_key_page uses
template.blank()
- `atr/admin/__init__.py` line 1210: _validate_jwt_page uses template.blank()
The `template.blank()` implementation was not provided, making it impossible
to verify logout button presence.
### Recommended Remediation
**Option 1:** Ensure `template.blank()` extends base layout by creating
`layouts/blank.html` that extends `base.html` and includes topnav:
```html
{% extends "base.html" %}
{% block content %}
{{ content|safe }}
{% endblock %}
```
**Option 2:** Switch to `template.render()` for these pages to use standard
layout with guaranteed logout button presence.
Verify `template.blank()` implementation includes `topnav.html` or refactor
affected handlers (`tasks_recent`, `_rotate_jwt_key_page`,
`_validate_jwt_page`) to use `template.render()` with proper base layout
inheritance.
### Acceptance Criteria
- [ ] Admin pages using template.blank() include logout button
- [ ] Logout button is visible and functional on all admin pages
- [ ] Template inheritance is verified
- [ ] Test cases verify logout button presence
- [ ] Unit test verifying the fix
### References
- Source reports: L2:7.4.4.md
- Related findings: FINDING-138, FINDING-254
- ASVS sections: 7.4.4
### Priority
Medium
---
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
