[I] Enforce MAX_CONTENT_LENGTH and add file upload size limits across all HTTP entry points (tooling-trusted-releases)

Wed, 18 Feb 2026 21:59:23 -0800 


andrewmusselman opened a new issue, #715:
URL: https://github.com/apache/tooling-trusted-releases/issues/715

   **ASVS Requirement:** 5.2.1 — Verify that the application only accepts files 
of sizes that can be processed without causing denial of service.
   
   **Description:**
   
   The `MAX_CONTENT_LENGTH` value is defined in `atr/config.py` (512 MB 
default) but is never applied to the Quart application configuration, meaning 
the framework does not enforce request body size limits. Additionally, all HTTP 
file upload handlers write incoming files to disk without validating file size 
before or during the write.
   
   **Affected locations:**
   
   - `atr/config.py:74` — value defined but not propagated to `app.config`
   - `src/asfquart/base.py` — `construct()` does not set `MAX_CONTENT_LENGTH`
   - `atr/post/upload.py:100-129` — `stage()` writes unlimited data via chunked 
reads
   - `atr/storage/writers/release.py:208-250` — `upload_file()` decodes base64 
without size limit
   - `atr/post/keys.py:203-216` — `_upload_file_keys()` reads entire file into 
memory with no size check
   - `atr/storage/writers/keys.py:135-149` — `__ensure_one()` processes 
unbounded key file text
   - `atr/form.py:320-378` — `to_filestorage()` / `to_filestorage_list()` 
return file objects without size checks
   
   **Impact:** Authenticated users can exhaust server memory or disk via 
oversized uploads. All HTTP upload endpoints are vulnerable.
   
   **CWE:** CWE-770 (Allocation of Resources Without Limits), CWE-400 
(Uncontrolled Resource Consumption)
   
   **Recommended remediation:**
   1. Add p6 yamls to the data store alongside `atr` and `asfquart`
     * 
https://github.com/apache/infrastructure-p6/blob/env/tooling/modules/tooling/manifests/atr_container.pp
     * 
https://github.com/apache/infrastructure-p6/blob/production/data/nodes/tooling-vm-ec2-de.apache.org.yaml
     * Any others @sbp ?
   3. If this does not fix the audit false positive, add `audit_guidance` about 
how `quart` is configured


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to