andrewmusselman opened a new issue, #537:
URL: https://github.com/apache/tooling-trusted-releases/issues/537
## Summary
The `MAX_CONTENT_LENGTH` configuration is defined in quart/asfquart but this
is not documented.
## ASVS Requirements
- 1.5.1 - File upload size limits
- 5.2.1 - Input validation
## Related Audit Reports
- [Denial of Service #407](ASVS/denial-of-service-407.md) - Issue 1
## Affected Files
- `atr/config.py:80` - Value defined
- `atr/server.py` - Value never applied
## Current Behavior
```python
# atr/config.py:80
MAX_CONTENT_LENGTH: int = decouple.config("MAX_CONTENT_LENGTH", default=512
* _MB, cast=int)
# atr/server.py - MAX_CONTENT_LENGTH is never applied to app.config
```
## Risk
Attackers can upload arbitrarily large files, exhausting server memory and
disk space.
## Recommended Fix
```python
# In atr/server.py, within _app_create_base():
def _app_create_base(conf: config.Config) -> Quart:
app = Quart(__name__, ...)
app.config['MAX_CONTENT_LENGTH'] = conf.MAX_CONTENT_LENGTH
return app
```
## Acceptance Criteria
- [ ] MAX_CONTENT_LENGTH applied to Quart app config
- [ ] Appropriate error returned when limit exceeded (413 Payload Too Large)
- [ ] Unit test verifying limit enforcement
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
