asf-tooling opened a new issue, #978:
URL: https://github.com/apache/tooling-trusted-releases/issues/978
**ASVS Level(s):** [L2-only]
**Description:**
### Summary
SSH rsync operations execute without timeout controls via indefinite
`proc.wait()` blocking. Unlike worker processes which have comprehensive
resource limits (300s CPU, 3GB memory), the SSH server runs in the main web
server process. Hung rsync operations can exhaust server resources and affect
HTTP request handling. Each connection holds asyncio task, subprocess, SSH
session, and file descriptors indefinitely. Stalled network connections or
malicious clients can cause resource exhaustion.
### Details
**Affected Files and Lines:**
- `atr/ssh.py:460` - proc.wait() without timeout
- `atr/ssh.py:_step_02_handle_safely` - Operation handler
- `atr/ssh.py:_step_07a_process_validated_rsync_read` - Read operation
- `atr/ssh.py:_step_07b_process_validated_rsync_write` - Write operation
While other subprocess operations correctly use
`asyncio.wait_for(proc.communicate(), timeout=300)`, rsync has no timeout
protection.
### Recommended Remediation
Add timeout to rsync subprocess execution:
```python
# In _step_07a_process_validated_rsync_read and
_step_07b_process_validated_rsync_write
try:
await asyncio.wait_for(proc.wait(), timeout=3600) # 1 hour for large
transfers
except asyncio.TimeoutError:
proc.kill()
await proc.wait()
raise asyncssh.BreakReceived('rsync operation timed out')
```
Use 1-hour maximum for large transfers (aligned with 600s SVN timeout but
allowing for larger file transfers). Make timeout configurable via
`atr/config.py` with `SSH_RSYNC_TIMEOUT` parameter. Add monitoring/alerting for
rsync operations exceeding threshold. Consider implementing progress tracking
to distinguish stalled vs. active transfers.
### Acceptance Criteria
- [ ] Timeout added to rsync operations
- [ ] Process killed on timeout
- [ ] Timeout configurable
- [ ] Monitoring/alerting considered
- [ ] Progress tracking considered
- [ ] Unit test verifying the fix
### References
- Source reports: L2:15.1.3.md, L2:15.2.2.md
- Related findings: FINDING-012, FINDING-205
- ASVS sections: 15.1.3, 15.2.2
### Priority
High
---
---
**Related issue:**
https://github.com/apache/tooling-trusted-releases/issues/723
---
**Triage notes:** adjacent to
https://github.com/apache/tooling-trusted-releases/issues/723
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
