asf-tooling opened a new issue, #1062:
URL: https://github.com/apache/tooling-trusted-releases/issues/1062
**ASVS Level(s):** L2-only
**Description:**
### Summary
Multiple endpoints return unbounded result sets without pagination or
limits. Affected endpoints include: (1) `/api/checks/list/<project>/<version>`
which may return thousands of check results for releases with large archives,
(2) `/api/release/paths/<project>/<version>` which collects all file paths in
memory before returning, (3) `/admin/data/<model>` which loads all database
records, and (4) `/admin/consistency` which walks entire filesystem. Code
comments acknowledge the issue ('TODO: We should perhaps paginate this') but it
remains unaddressed.
### Details
The issue exists in:
- `atr/api/__init__.py` checks_list() function
- `atr/api/__init__.py` release_paths() function
- `atr/admin/__init__.py` _data_browse() function
- `atr/admin/__init__.py` consistency() function
### Recommended Remediation
Add pagination to API endpoints using query parameters (limit/offset):
```python
# For checks_list() and release_paths()
_MAX_RESULTS = 100
@api.get
async def checks_list(
session: web.Public,
project_key: safe.ProjectKey,
version_key: safe.VersionKey,
limit: int = _MAX_RESULTS,
offset: int = 0
) -> dict:
# Validate pagination parameters (after fixing typo in FINDING-155)
_pagination_args_validate(limit, offset)
# Apply limit and offset to query
checks = # ... query with .limit(limit).offset(offset)
total_count = # ... count query without limit/offset
return {
'checks': checks,
'total': total_count,
'limit': limit,
'offset': offset
}
# For admin endpoints
_MAX_BROWSE_RECORDS = 500
@admin.get
async def _data_browse(
session: web.Admin,
model: str,
page: int = 1
) -> web.QuartResponse:
limit = _MAX_BROWSE_RECORDS
offset = (page - 1) * limit
records = # ... query with .limit(limit).offset(offset)
total_count = # ... count query
return await render("admin/data_browse.html",
records=records,
total=total_count,
page=page,
total_pages=(total_count + limit - 1) // limit)
```
### Acceptance Criteria
- [ ] Pagination added to /api/checks/list endpoint
- [ ] Pagination added to /api/release/paths endpoint
- [ ] Pagination added to /admin/data/<model> endpoint
- [ ] Page size limits enforced on all endpoints
- [ ] Total count included in paginated responses
- [ ] Unit tests verify pagination works correctly
- [ ] Unit tests verify page size limits are enforced
- [ ] Integration tests verify large result sets are paginated
- [ ] Documentation updated with pagination parameters
### References
- Source reports: L2:15.1.3.md
- Related findings: FINDING-012, FINDING-052, FINDING-207
- ASVS sections: 15.1.3
- CWE: CWE-770
### Priority
Medium
---
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
