asf-tooling opened a new issue, #1003:
URL: https://github.com/apache/tooling-trusted-releases/issues/1003
**ASVS Level(s):** [L2-only]
**Description:**
### Summary
The SSH rsync interface has no rate limiting on write operations, while the
web interface has comprehensive rate limiting. This creates a bypass path where
authenticated users can perform unlimited writes via SSH while being throttled
on the web interface, enabling release object creation flooding, parallel
upload flooding, and resource exhaustion.
### Details
**Affected Files and Lines:**
- `atr/ssh.py` - SSH interface without rate limiting
The SSH interface allows unlimited write operations, creating an alternative
path to bypass web interface rate limits. This inconsistency undermines the
rate limiting security controls.
### Recommended Remediation
Implement SSH-specific rate limiting:
```python
# Track operations per ASF UID
_ssh_rate_limits: dict[str, collections.deque] = {}
def _check_ssh_rate_limit(asf_uid: str) -> bool:
"""Check if user has exceeded SSH rate limits."""
now = time.time()
if asf_uid not in _ssh_rate_limits:
_ssh_rate_limits[asf_uid] = collections.deque()
operations = _ssh_rate_limits[asf_uid]
# Remove operations outside 1-hour window
while operations and now - operations[0] > 3600:
operations.popleft()
# Check limits: 10 writes/minute, 100 writes/hour
recent_minute = sum(1 for t in operations if now - t < 60)
if recent_minute >= 10:
return False
if len(operations) >= 100:
return False
operations.append(now)
return True
```
Add `_check_ssh_rate_limit()` function and call it in
`_step_02_handle_safely()` before processing write operations. Implement
periodic cleanup task for rate limit tracking data. Make timeout configurable
via `atr/config.py` with `SSH_RSYNC_TIMEOUT` parameter.
### Acceptance Criteria
- [ ] Rate limiting implemented for SSH writes
- [ ] 10 writes/minute limit enforced
- [ ] 100 writes/hour limit enforced
- [ ] Rate limit tracking per user
- [ ] Cleanup task prevents memory growth
- [ ] Unit test verifying the fix
### References
- Source reports: L2:2.3.2.md
- Related findings: FINDING-027
- ASVS sections: 2.3.2
### Priority
High
---
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
