asf-tooling opened a new issue, #1097:
URL: https://github.com/apache/tooling-trusted-releases/issues/1097
**ASVS Level(s):** L2
**Description:**
### Summary
JWT claims including user identity (sub), JWT ID (jti), timestamps (iat,
exp), and potentially PAT hash (atr_th) are logged in their entirety at DEBUG
level. At DEBUG level, this is less likely to be enabled in production, but
DEBUG logging is commonly enabled during troubleshooting. User identity and
token identifiers enter the log stream, and if logs are forwarded to external
aggregation services, this data leaves application control. PAT hash (atr_th)
could potentially be used to correlate token usage across systems.
### Details
In `atr/jwtoken.py` at line 116, full JWT claims are logged at DEBUG level.
### Recommended Remediation
Replace full claims dump with selective logging. Log only essential
information for debugging:
```python
log.debug("JWT verified successfully",
subject=claims.get("sub"),
jti=claims.get("jti")[:8] + "..." if claims.get("jti") else None,
expires_in=claims.get("exp") - int(time.time()) if claims.get("exp")
else None
)
```
Truncate sensitive identifiers and avoid logging the full claims dictionary.
### Acceptance Criteria
- [ ] Full claims dictionary not logged
- [ ] Only essential information logged
- [ ] Sensitive identifiers truncated
- [ ] Unit tests verify logging content
### References
- Source reports: L2:14.2.3.md, L2:14.2.4.md
- Related findings: None
- ASVS sections: 14.2.3, 14.2.4
### Priority
Low
---
---
**Triage notes:** janitorial services
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
