This is an automated email from the ASF dual-hosted git repository.
sbp pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tooling-trusted-releases.git
The following commit(s) were added to refs/heads/main by this push:
new 9b04ca4 Prevent enumeration
9b04ca4 is described below
commit 9b04ca4d6d7e4579c568fadfdf4fd5ae4097d18f
Author: Dave Fisher <[email protected]>
AuthorDate: Tue Jan 20 09:13:57 2026 -0800
Prevent enumeration
---
atr/principal.py | 2 +-
atr/storage/writers/tokens.py | 6 ++----
2 files changed, 3 insertions(+), 5 deletions(-)
diff --git a/atr/principal.py b/atr/principal.py
index 44b0874..f6aab09 100644
--- a/atr/principal.py
+++ b/atr/principal.py
@@ -148,7 +148,7 @@ class Committer:
ldap_scope="BASE",
)
if not (result and (len(result) == 1)):
- raise CommitterError(f"User {self.user!r} not found in LDAP")
+ raise CommitterError(f"Authentication failed")
except CommitterError:
raise
except Exception as ex:
diff --git a/atr/storage/writers/tokens.py b/atr/storage/writers/tokens.py
index e3ca4cf..89259eb 100644
--- a/atr/storage/writers/tokens.py
+++ b/atr/storage/writers/tokens.py
@@ -90,10 +90,8 @@ class FoundationCommitter(GeneralPublic):
sql.PersonalAccessToken.token_hash == pat_hash,
)
)
- if pat is None:
- raise storage.AccessError("Invalid PAT")
- if pat.expires < datetime.datetime.now(datetime.UTC):
- raise storage.AccessError("Expired PAT")
+ if pat is None or pat.expires < datetime.datetime.now(datetime.UTC):
+ raise storage.AccessError("Authentication failed")
issued_jwt = jwtoken.issue(self.__asf_uid)
pat.last_used = datetime.datetime.now(datetime.UTC)
await self.__data.commit()
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
