asf-tooling opened a new issue, #1012:
URL: https://github.com/apache/tooling-trusted-releases/issues/1012
**ASVS Level(s):** [L2-only]
**Description:**
### Summary
The web upload staging endpoint accepts files of arbitrary size without
validation. Files are streamed directly to disk in 1 MiB chunks with no
cumulative size checking, allowing authenticated users to exhaust staging
volume storage. The endpoint writes files completely before any size validation
occurs.
### Details
Affected location: `atr/post/upload.py` lines 118-155
The staging endpoint:
1. Accepts file uploads via multipart/form-data
2. Streams content to disk in 1 MiB chunks
3. Has no size limit checking during streaming
4. No cumulative size tracking across multiple uploads
Authenticated users can upload arbitrarily large files, exhausting disk
space in the staging volume.
### Recommended Remediation
Add `MAX_UPLOAD_SIZE_BYTES` configuration constant. Track cumulative bytes
written during file streaming. Raise `exceptions.PayloadTooLarge` when limit
exceeded. Delete partially written files on size limit violation:
```python
MAX_UPLOAD_SIZE_BYTES = 2 * 1024 * 1024 * 1024 # 2 GB
async def stage(session, upload_session, file):
total_bytes = 0
try:
async for chunk in file:
total_bytes += len(chunk)
if total_bytes > MAX_UPLOAD_SIZE_BYTES:
raise exceptions.PayloadTooLarge(
f"Upload exceeds {MAX_UPLOAD_SIZE_BYTES} byte limit"
)
# Write chunk
except exceptions.PayloadTooLarge:
# Delete partially written file
staging_path.unlink(missing_ok=True)
raise
```
Consider implementing per-release or per-user storage quotas.
### Acceptance Criteria
- [ ] Maximum upload size limit is enforced
- [ ] Limit is checked during streaming, not after
- [ ] Partially written files are cleaned up on limit violation
- [ ] Test cases verify size limit enforcement
- [ ] Unit test verifying the fix
### References
- Source reports: L2:2.3.2.md
- Related findings: None
- ASVS sections: 2.3.2
### Priority
Medium
---
---
**Related issue:**
https://github.com/apache/tooling-trusted-releases/issues/968
---
**Triage notes:** related to
https://github.com/apache/tooling-trusted-releases/issues/968
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
