andrewmusselman opened a new issue, #717: URL: https://github.com/apache/tooling-trusted-releases/issues/717
**ASVS Requirement:** 5.2.1 **Description:** Several file-processing functions read entire file contents into memory without size validation: 1. **LICENSE/NOTICE validation** (`atr/tasks/checks/license.py:213-262`): `_files_check_core_logic_license()` and `_files_check_core_logic_notice()` call `f.read()` on archive members without any size cap. A TODO comment in the code already acknowledges this: `# TODO: Check length doesn't exceed some preset`. 2. **Remote KEYS fetch** (`atr/post/keys.py:179-191`): `_fetch_keys_from_url()` calls `response.text()` without validating response size, allowing memory exhaustion from a compromised or misconfigured remote source. **CWE:** CWE-400 (Uncontrolled Resource Consumption) **Recommended remediation:** - Cap LICENSE and NOTICE reads based on a survey of existing file sizes - Implement chunked reading with size tracking for remote KEYS fetch (e.g. 10 MB max) - Check `Content-Length` header on remote responses before reading -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
