asf-tooling opened a new issue, #1019:
URL: https://github.com/apache/tooling-trusted-releases/issues/1019
**ASVS Level(s):** [L1]
**Description:**
### Summary
The upload staging mechanism accepts files in multiple stages before
finalization. While individual stage requests are bounded by MAX_CONTENT_LENGTH
(512 MB), there are no controls on: 1) Aggregate size - total size of all files
within a staging directory, 2) File count - number of files per staging
session, 3) Cleanup mechanism - abandoned staging directories persist
indefinitely, 4) Session lifetime - no expiration for staging sessions. Staging
directories are only cleaned during `finalise()` - if this is never called,
files remain permanently. This allows authenticated users to stage many files
without finalizing, accumulating disk space over time.
### Details
Affected location: `atr/post/upload.py` lines 137-155
Missing controls:
- No aggregate size limit across all staged files
- No file count limit per session
- No cleanup of abandoned staging directories
- No session expiration
### Recommended Remediation
Implement three controls:
**(1) Add aggregate staging limits** - Check current staging directory size
and file count before accepting new files:
```python
MAX_STAGING_SIZE = 2 * 1024 * 1024 * 1024 # 2GB
MAX_STAGING_FILES = 50
current_size = sum(f.stat().st_size for f in staging_dir.iterdir())
current_count = len(list(staging_dir.iterdir()))
if current_size + file_size > MAX_STAGING_SIZE:
raise exceptions.PayloadTooLarge("Staging directory size limit exceeded")
if current_count >= MAX_STAGING_FILES:
raise exceptions.PayloadTooLarge("Staging file count limit exceeded")
```
**(2) Create periodic cleanup task** - Implement `cleanup_stale_staging()`
function in new `atr/tasks/cleanup.py` to remove staging directories older than
24 hours. Run every 6 hours via scheduler.
**(3) Add configuration** - Externalize limits to `atr/config.py` as
MAX_STAGING_SIZE, MAX_STAGING_FILES, and STAGING_MAX_AGE_SECONDS.
**(4) Add monitoring** - Create `get_staging_metrics()` to track total
staging directories, size, and oldest staging age for operational visibility.
### Acceptance Criteria
- [ ] Aggregate staging size is limited per session
- [ ] File count is limited per session
- [ ] Stale staging directories are cleaned up automatically
- [ ] Limits are configurable
- [ ] Monitoring metrics are available
- [ ] Test cases verify limits
- [ ] Unit test verifying the fix
### References
- Source reports: L1:5.2.1.md
- Related findings: None
- ASVS sections: 5.2.1
### Priority
Medium
---
---
**Related issue:**
https://github.com/apache/tooling-trusted-releases/issues/968
---
**Triage notes:** related to
https://github.com/apache/tooling-trusted-releases/issues/968
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
