andrewmusselman opened a new pull request, #605:
URL: https://github.com/apache/tooling-trusted-releases/pull/605
## Limit archive member count to prevent zip bomb attacks
Closes #604
### Summary
This PR adds a configurable limit on the number of members that can be
extracted from an archive, preventing denial-of-service attacks that use
archives with millions of small files to exhaust filesystem metadata (inodes),
memory, or worker processes.
### Changes
**`atr/tarzip.py`**
- Added `MAX_ARCHIVE_MEMBERS` constant (default: 100,000)
- Added `ArchiveMemberLimitExceeded` exception
- Updated `ArchiveContext.__iter__()` to count members and raise if limit
exceeded
- Added `extract_member()` method for cleaner directory extraction
- Made limit configurable via `open_archive(path, max_members=N)`
**`atr/archives.py`**
- Unified tar iteration to go through `ArchiveContext` (previously bypassed
it by iterating directly on `TarFile`)
- Updated function signatures to use `tarzip.TarMember` instead of
`tarfile.TarInfo`
**`atr/util.py`**
- Updated `archive_listing()` to use `tarzip.open_archive()` instead of
direct `tarfile`/`zipfile` access
**`atr/tasks/checks/targz.py`**
- Updated `root_directory()` to use `tarzip.open_archive()`
**`atr/tasks/checks/zipformat.py`**
- Updated `_integrity_check_core_logic()` and
`_structure_check_core_logic()` to use `tarzip.open_archive()`
### Result
All archive iteration now flows through a single chokepoint
(`ArchiveContext.__iter__`), which enforces the member count limit for both tar
and zip files.
### ASVS Compliance
- **5.2.1** - File processing cannot cause denial of service
* [x] I have read and followed **CONTRIBUTING.md**
* [x] I have read **DEVELOPMENT.md**
* [x] I have run the required tests and checks locally
* [x] All required checks are currently passing
* [x] This branch is **rebased on the current `main` branch**
---
## Rebase confirmation details (optional but encouraged)
```
$ git fetch upstream
remote: Enumerating objects: 39, done.
remote: Counting objects: 100% (39/39), done.
remote: Compressing objects: 100% (24/24), done.
remote: Total 39 (delta 21), reused 21 (delta 12), pack-reused 0 (from 0)
Unpacking objects: 100% (39/39), 14.79 KiB | 541.00 KiB/s, done.
From github.com:apache/tooling-trusted-releases
* [new branch] dependabot/github_actions/actions/cache-5.0.2
-> upstream/dependabot/github_actions/actions/cache-5.0.2
* [new branch] dependabot/github_actions/actions/checkout-6.0.2
-> upstream/dependabot/github_actions/actions/checkout-6.0.2
* [new branch] dependabot/github_actions/biomejs/setup-biome-2.7.0
-> upstream/dependabot/github_actions/biomejs/setup-biome-2.7.0
* [new branch] jwtoken_multiple_sources
-> upstream/jwtoken_multiple_sources
* [new branch] rate_limiting
-> upstream/rate_limiting
$ git rebase upstream/main
Current branch archive-member-count-604 is up to date.
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
