asf-tooling opened a new issue, #1022:
URL: https://github.com/apache/tooling-trusted-releases/issues/1022
**ASVS Level(s):** [L2-only]
**Description:**
### Summary
The `check_archive_safety()` function runs BEFORE extraction and iterates
every archive member with access to member.size attribute, but does not
accumulate or validate total uncompressed size against MAX_EXTRACT_SIZE. Total
size enforcement is deferred to the extraction phase via exarch SecurityConfig
or streaming checks in archives.py. For ZIP files, `zipfile.ZipFile.infolist()`
returns all member metadata from the central directory without decompressing
any content, making pre-extraction size validation trivially achievable. An
attacker could upload a ZIP with 50,000 files of 40 KB each (~2 GB total) that
passes safety checks and begins extraction, consuming significant disk I/O and
temporary storage before limits are enforced during extraction.
### Details
Affected locations:
- `atr/detection.py` lines 62-75: check_archive_safety() iterates members
- `atr/tasks/quarantine.py` lines 250-265: Calls check_archive_safety()
The function iterates all archive members and accesses member.size but never
accumulates total size or validates against MAX_EXTRACT_SIZE.
### Recommended Remediation
Add total uncompressed size validation to `check_archive_safety()` by
accumulating member.size during iteration and checking against
`config.get().MAX_EXTRACT_SIZE`:
```python
def check_archive_safety(archive_path: Path, max_extract_size: int) ->
list[str]:
"""Check archive for safety issues before extraction."""
errors = []
total_size = 0
# ... existing iteration code ...
for member in archive.infolist():
total_size += member.size
# Check against limit
if total_size > max_extract_size:
errors.append(
f"Total uncompressed size {total_size} exceeds "
f"MAX_EXTRACT_SIZE {max_extract_size}"
)
break # Stop iteration, already over limit
# ... existing per-member checks ...
return errors
```
This prevents extraction from starting when size limits would be violated.
### Acceptance Criteria
- [ ] Total uncompressed size is validated before extraction starts
- [ ] Archives exceeding size limit are rejected before extraction
- [ ] Validation happens in pre-extraction safety check
- [ ] Test cases verify size limit enforcement
- [ ] Unit test verifying the fix
### References
- Source reports: L2:5.2.3.md
- Related findings: FINDING-242
- ASVS sections: 5.2.3
### Priority
Medium
---
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
