sbp commented on PR #624: URL: https://github.com/apache/tooling-trusted-releases/pull/624#issuecomment-3841985091
We could certainly maintain an allow list of suffixes, though it seems likely that even with exhaustive comparison against already published files we are likely to encounter requests to add to the suffixes often. I doubt that `puremagic` can always be relied on for gating content, and I wondered when I added it whether we should be raising warnings rather than blocking with errors. Its database is relatively small, plenty of files don't have magic numbers that it can detect, and there are also overlaps between some magic numbers. ASVS 5.2.2 is pretty clear that at L2 we must validate the content of all files, but I think it would be useful to analyse what confidence levels we have for each type in `puremagic`. We can raise errors for types that we are confident about, and warn about the rest. I did think about using [magika](https://github.com/google/magika) in conjunction with `puremagic`, but it's even more heuristic, though it does cover more types. It claims a 99% success rate, which means we would still have ten false positives or so for every thousand files uploaded, which for some projects will be just one or two releases. It's hard to balance usability with security when the accuracy rate is so low. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
