[I] Unbounded PGP Key Block Processing in Bulk Operations (tooling-trusted-releases)

Fri, 03 Apr 2026 12:17:27 -0700 


asf-tooling opened a new issue, #1075:
URL: https://github.com/apache/tooling-trusted-releases/issues/1075

   **ASVS Level(s):** L2-only
   
   **Description:**
   
   ### Summary
   The bulk PGP key processing function has no limit on the number of key 
blocks processed per request. Each block triggers CPU-intensive PGP parsing 
operations. Attackers can submit 1000+ key blocks in a single request, 
monopolizing workers until CPU limit kills the process.
   
   ### Details
   The issue exists in `atr/storage/writers/keys.py` line 388. The bulk key 
processing function accepts an unbounded list of key blocks without enforcing a 
maximum count.
   
   ### Recommended Remediation
   Add maximum key block count limit:
   
   ```python
   _MAX_KEY_BLOCKS_PER_REQUEST = 100
   
   def add_bulk_public_keys(self, key_blocks: list[str], committee_id: int) -> 
Outcome:
       """Add multiple public keys with count limit."""
       # Check key block count
       if len(key_blocks) > _MAX_KEY_BLOCKS_PER_REQUEST:
           return Outcome.err(
               f"Cannot process more than {_MAX_KEY_BLOCKS_PER_REQUEST} key 
blocks "
               f"in a single request. Received {len(key_blocks)} blocks."
           )
       
       # Process key blocks
       results = []
       for key_block in key_blocks:
           result = self.add_public_key(key_block, committee_id)
           results.append(result)
       
       return Outcome.ok(results)
   ```
   
   This aligns with the single-block enforcement in 
`FoundationCommitter.__ensure_one()` and prevents resource exhaustion.
   
   ### Acceptance Criteria
   - [ ] _MAX_KEY_BLOCKS_PER_REQUEST constant added (100 blocks)
   - [ ] Key block count check added to bulk processing function
   - [ ] Error returned with helpful message when limit exceeded
   - [ ] Unit tests verify limit is enforced
   - [ ] Unit tests verify processing works within limit
   - [ ] Integration tests verify bulk key processing with limits
   - [ ] Documentation updated with bulk processing limits
   
   ### References
   - Source reports: L2:15.2.2.md
   - Related findings: None
   - ASVS sections: 15.2.2
   
   ### Priority
   Medium
   
   ---


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to