This is an automated email from the ASF dual-hosted git repository. sbp pushed a commit to branch sbp in repository https://gitbox.apache.org/repos/asf/tooling-trusted-releases.git
commit 2e7234167797dfcadf114e45e3de30a6d42a40ef Author: Sean B. Palmer <[email protected]> AuthorDate: Fri Feb 13 17:10:20 2026 +0000 Make the existence of certain disallowed file types blocking --- atr/analysis.py | 21 +++++++++++++++++++++ atr/tasks/checks/paths.py | 6 +++++- 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/atr/analysis.py b/atr/analysis.py index 7a864269..4e59cf0c 100755 --- a/atr/analysis.py +++ b/atr/analysis.py @@ -58,6 +58,27 @@ ARTIFACT_SUFFIXES: Final[list[str]] = [ "zip", ] +DISALLOWED_FILENAMES: Final[frozenset[str]] = frozenset( + { + ".DS_Store", + ".git", + ".htaccess", + ".htpasswd", + "desktop.ini", + "id_dsa", + "id_ecdsa", + "id_ed25519", + "id_rsa", + "Thumbs.db", + } +) + +DISALLOWED_SUFFIXES: Final[frozenset[str]] = frozenset( + { + ".key", + } +) + # "mds" is used in ozone # "SHA256" and "SHA512" are used in ranger # "MD5" is used in samza diff --git a/atr/tasks/checks/paths.py b/atr/tasks/checks/paths.py index 4f01dfa4..d3365069 100644 --- a/atr/tasks/checks/paths.py +++ b/atr/tasks/checks/paths.py @@ -196,7 +196,11 @@ async def _check_path_process_single( # We assume that LICENSE and NOTICE are permitted also if relative_path.name == "KEYS": errors.append("The KEYS file should be uploaded via the 'Keys' section, not included in the artifact bundle") - if any(part.startswith(".") for part in relative_path.parts): + if relative_path.name in analysis.DISALLOWED_FILENAMES: + blockers.append(f"Disallowed file: {relative_path.name}") + elif relative_path.suffix in analysis.DISALLOWED_SUFFIXES: + blockers.append(f"Disallowed file type: {relative_path.suffix}") + elif any(part.startswith(".") for part in relative_path.parts): # TODO: There is not a a policy for this # We should enquire as to whether such a policy should be instituted # We're forbidding dotfiles to catch accidental uploads of e.g. .git or .htaccess --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
