andrewmusselman opened a new issue, #724: URL: https://github.com/apache/tooling-trusted-releases/issues/724
**ASVS Reference:** 6.3.1 (Finding HIGH-001) ### Description Six API endpoints that validate Trusted Publisher JWTs lack endpoint-specific rate limiting. They rely only on the global API-wide 500 requests/hour limit, which is too permissive for authentication-adjacent endpoints. By contrast, `publisher_ssh_register` already has a 10/hour limit. ### Affected Endpoints | Endpoint | Line (approx.) | Authentication Method | |----------|------|----------------------| | `/distribute/ssh/register` | 72 | Trusted Publisher JWT | | `/distribution/record_from_workflow` | 123 | Trusted Publisher JWT | | `/publisher/distribution/record` | 465 | Trusted Publisher JWT | | `/publisher/release/announce` | 502 | Trusted Publisher JWT | | `/publisher/vote/resolve` | 547 | Trusted Publisher JWT | | `/distribute/task/status` | 661 | Trusted Publisher JWT | All in `atr/api/__init__.py`. ### Recommendation Add `@rate_limiter.rate_limit(10, datetime.timedelta(hours=1))` to each affected endpoint, matching the pattern used by `publisher_ssh_register` and `jwt_create`. We may need to remove the rate limiting, not add more; need to ask @arm about this. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
