andrewmusselman opened a new issue, #550:
URL: https://github.com/apache/tooling-trusted-releases/issues/550
## Summary
Worker resource limits are defined but commented out, leaving workers
vulnerable to resource exhaustion.
## ASVS Requirements
- 1.5.1 - Resource consumption controls
## Related Audit Reports
- [Denial of Service #407](ASVS/denial-of-service-407.md) - Issue 5
## Affected Files
- `atr/worker.py:267-283`
## Current Behavior
```python
def _worker_resources_limit_set() -> None:
# TODO: https://github.com/apache/tooling-trusted-releases/issues/411
# resource.setrlimit(resource.RLIMIT_CPU, ...) # COMMENTED OUT
# resource.setrlimit(resource.RLIMIT_AS, ...) # COMMENTED OUT
return # Does nothing
```
## Recommended Fix
```python
import resource
_CPU_LIMIT_SECONDS = 300 # 5 minutes
_MEMORY_LIMIT_BYTES = 1024 * 1024 * 1024 # 1GB
def _worker_resources_limit_set() -> None:
try:
resource.setrlimit(resource.RLIMIT_CPU, (_CPU_LIMIT_SECONDS,
_CPU_LIMIT_SECONDS))
except (ValueError, OSError) as e:
log.warning(f"Could not set CPU limit: {e}")
try:
resource.setrlimit(resource.RLIMIT_AS, (_MEMORY_LIMIT_BYTES,
_MEMORY_LIMIT_BYTES))
except (ValueError, OSError) as e:
log.warning(f"Could not set memory limit: {e}")
```
## Acceptance Criteria
- [ ] CPU limit enabled
- [ ] Memory limit enabled
- [ ] Graceful handling when limits cannot be set
- [ ] Consider container-based limits as alternative
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
