asf-tooling opened a new issue, #1057:
URL: https://github.com/apache/tooling-trusted-releases/issues/1057
**ASVS Level(s):** L2-only
**Description:**
### Summary
The session cache mechanism stores user authorization data (admin
privileges, committee memberships, MFA status) in a persistent JSON file
without TTL or automatic purging. Stale data persists indefinitely after role
changes or account deactivation. The cache stores `isRoot` (admin privilege
status), `isChair` (PMC chair status), `isMember` (ASF membership status),
`pmcs/projects` (authorization data), and `mfa` (MFA enrollment status). No
mechanism exists to automatically invalidate stale data.
### Details
The issue exists in `atr/post/user.py` lines 40-57 and `atr/util.py`
(session_cache_read() and session_cache_write() functions). Authorization data
is cached to disk without expiration timestamps or cleanup mechanisms.
### Recommended Remediation
Add TTL metadata and purge expired entries:
```python
import time
def session_cache_write(uid: str, data: dict):
"""Write session cache with TTL metadata."""
cache_entry = {
'data': data,
'cached_at': time.time(),
'expires_at': time.time() + (24 * 60 * 60) # 24 hour TTL
}
# ... write cache_entry to disk
def session_cache_read(uid: str) -> dict:
"""Read session cache with expiration check."""
cache_entry = # ... read from disk
if cache_entry and cache_entry.get('expires_at', 0) > time.time():
return cache_entry['data']
else:
# Expired or missing - return None to force refresh
return None
def purge_expired_cache_entries():
"""Periodic cleanup of expired cache entries."""
cache_dir = # ... get cache directory
current_time = time.time()
for cache_file in cache_dir.glob('*.json'):
cache_entry = # ... read cache file
if cache_entry.get('expires_at', 0) < current_time:
cache_file.unlink() # Delete expired entry
# Schedule periodic cleanup
# In atr/server.py or worker initialization:
asyncio.create_task(periodic_cache_cleanup())
```
### Acceptance Criteria
- [ ] TTL metadata added to cache entries (cached_at, expires_at)
- [ ] session_cache_read() checks expiration before returning data
- [ ] Periodic cleanup task implemented to purge expired entries
- [ ] Unit tests verify expired entries are not returned
- [ ] Unit tests verify cleanup removes expired entries
- [ ] Integration tests verify cache expiration behavior
- [ ] Documentation updated with cache TTL policy
### References
- Source reports: L2:14.2.2.md, L2:14.2.4.md
- Related findings: FINDING-297, FINDING-302
- ASVS sections: 14.2.2, 14.2.4
- CWE: CWE-524
### Priority
Medium
---
---
**Triage notes:** check into this, make this test-mode only
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
