asf-tooling opened a new issue, #1101:
URL: https://github.com/apache/tooling-trusted-releases/issues/1101
**ASVS Level(s):** [L2-only]
**Description:**
### Summary
The `/tokens` page loads a TypeScript module named 'create-a-jwt' that
handles JWT generation and display, but the TypeScript source was not included
in the audit scope. Without this code, it cannot be verified whether the JWT is
improperly stored in browser storage (localStorage, sessionStorage, or
IndexedDB), which would violate ASVS 14.3.3 since JWTs are bearer credentials.
This represents an audit coverage gap rather than a confirmed vulnerability.
### Details
The tokens page (`atr/get/tokens.py`, lines 55-80) implements a JWT display
workflow:
1. User requests JWT generation via AJAX
2. TypeScript module 'create-a-jwt' handles the request
3. JWT is displayed in DOM element `#jwt-output`
4. A countdown timer manages the display period
**Unverifiable security properties:**
- Whether JWT is stored in localStorage, sessionStorage, or IndexedDB during
display
- Whether JWT is reliably cleared from DOM and memory after countdown
- Whether AJAX response is cached in browser storage
- Whether JWT is properly cleaned up on page navigation
- Whether the countdown timer reliably clears the JWT after 30 minutes
If the TypeScript stores the JWT in browser storage, it would violate ASVS
14.3.3 requirements for bearer credential handling.
**Affected file:** `atr/get/tokens.py`, lines 55-80
### Recommended Remediation
1. **Include TypeScript in audit scope:** Add the 'create-a-jwt' TypeScript
module to the repository and audit to verify:
- No JWT storage in localStorage/sessionStorage/IndexedDB
- JWT is only held in DOM/memory
- Proper cleanup on page navigation
2. **Implement explicit cleanup handlers:**
```typescript
window.addEventListener('beforeunload', () => {
// Clear JWT from DOM
document.getElementById('jwt-output').textContent = '';
// Clear any in-memory references
});
```
3. **Consider memory-only approaches:** Use Blob URLs that can be explicitly
revoked, or keep JWT only in JavaScript closure scope
4. **Verify countdown timer:** Ensure the 30-minute countdown reliably
clears the JWT and cannot be bypassed
### Acceptance Criteria
- [ ] TypeScript source code 'create-a-jwt' is added to repository
- [ ] Code review confirms no browser storage usage for JWT
- [ ] Explicit cleanup handlers are implemented for page navigation
- [ ] Countdown timer behavior is verified and tested
- [ ] Browser developer tools testing confirms no JWT persistence
- [ ] Unit test verifying the fix
### References
- Source reports: L2:14.3.3.md
- Related findings: FINDING-192
- ASVS sections: 14.3.3
### Priority
Low
---
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
