asf-tooling opened a new issue, #1128: URL: https://github.com/apache/tooling-trusted-releases/issues/1128
**ASVS Level(s):** L2 **Description:** ### Summary The authorization cache stores committee and project memberships for authenticated users. While entries are refreshed when outdated (600-second TTL), entries for inactive users are never removed, causing unbounded memory growth. While this is committee/project membership metadata (not credentials), ASVS 14.2.2 requires cached data be 'securely purged after use'. If user's committee memberships change or account deactivated, stale data remains until process restart. ### Details In `atr/principal.py` at lines 172-182, the authorization cache refreshes entries but never removes stale entries for inactive users. ### Recommended Remediation Add eviction mechanism for stale entries by removing entries not refreshed within 2x TTL. Call periodically from admins_refresh_loop or dedicated background task. ### Acceptance Criteria - [ ] Eviction mechanism for stale entries implemented - [ ] Memory growth bounded - [ ] Inactive user entries removed - [ ] Unit tests verify eviction logic ### References - Source reports: L2:14.2.2.md - Related findings: None - ASVS sections: 14.2.2 ### Priority Low --- --- **Triage notes:** janitorial services -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
