[I] State-Changing API Endpoints Lack Per-Endpoint Rate Limits (tooling-trusted-releases)

[via GitHub]

asf-tooling opened a new issue, #965:
URL: https://github.com/apache/tooling-trusted-releases/issues/965

   **ASVS Level(s):** [L2-only]
   
   **Description:**
   
   ### Summary
   Critical state-changing API endpoints (release_create, release_upload, 
release_announce, vote_start, vote_resolve, distribution_record, policy_update, 
release_delete) rely only on the global rate limit (500 requests/hour) without 
per-endpoint throttling. This allows authenticated users to perform 
resource-intensive operations at rates that can cause service degradation, 
email flooding, and storage exhaustion.
   
   ### Details
   **Affected Files and Lines:**
   - `atr/api/__init__.py` - Multiple endpoints without per-endpoint rate 
limiting
   
   The global rate limit of 500 requests/hour is too permissive for operations 
that send emails, modify critical state, or consume significant resources. 
Without per-endpoint limits, users can abuse individual operations within the 
global budget.
   
   ### Recommended Remediation
   Apply tiered rate limiting decorators to state-changing endpoints:
   
   **Tier 1 (5/hour)** for email-sending operations:
   ```python
   @rate_limiter.rate_limit(5, datetime.timedelta(hours=1))
   async def vote_start(...):
       ...
   
   @rate_limiter.rate_limit(5, datetime.timedelta(hours=1))
   async def release_announce(...):
       ...
   
   @rate_limiter.rate_limit(5, datetime.timedelta(hours=1))
   async def release_delete(...):
       ...
   ```
   
   **Tier 2 (10/hour)** for state-changing operations:
   ```python
   @rate_limiter.rate_limit(10, datetime.timedelta(hours=1))
   async def release_create(...):
       ...
   
   @rate_limiter.rate_limit(10, datetime.timedelta(hours=1))
   async def release_upload(...):
       ...
   
   @rate_limiter.rate_limit(10, datetime.timedelta(hours=1))
   async def vote_resolve(...):
       ...
   ```
   
   Use existing `@rate_limiter.rate_limit` decorator consistently across all 
sensitive endpoints.
   
   ### Acceptance Criteria
   - [ ] Email-sending endpoints limited to 5/hour
   - [ ] State-changing endpoints limited to 10/hour
   - [ ] Rate limit decorators applied
   - [ ] Error messages inform users of limits
   - [ ] Integration test verifies enforcement
   - [ ] Unit test verifying the fix
   
   ### References
   - Source reports: L2:2.3.2.md
   - Related findings: FINDING-028
   - ASVS sections: 2.3.2
   
   ### Priority
   High
   
   ---


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tooling.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tooling.apache.org
For additional commands, e-mail: dev-h...@tooling.apache.org