andrewmusselman opened a new issue, #716: URL: https://github.com/apache/tooling-trusted-releases/issues/716
**ASVS Requirement:** 5.2.1 **Description:** The SSH/rsync upload path allows authenticated users to transfer unlimited data to the server, completely bypassing any web server-level protections. **Affected location:** `atr/ssh.py:360-410` — `_step_07b_process_validated_rsync_write()` executes rsync with no file size or total transfer size limits. **Impact:** Authenticated SSH users can exhaust disk space through rsync transfers. **CWE:** CWE-400 (Uncontrolled Resource Consumption) **Recommended remediation:** - Add rsync `--max-size` flag to limit individual file sizes - Implement per-release or per-project disk quotas - Monitor cumulative disk usage during transfers with automatic termination on threshold breach - Set the limit to N GB (--max-size is per file), value to be determined by doing an analysis of existing files plus extra padding -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
