[I] Documented Rate Limits Missing on Multiple API Endpoints (tooling-trusted-releases)

Mon, 30 Mar 2026 18:34:15 -0700 


asf-tooling opened a new issue, #969:
URL: https://github.com/apache/tooling-trusted-releases/issues/969

   **ASVS Level(s):** [L1]
   
   **Description:**
   
   ### Summary
   Security documentation explicitly states that sensitive endpoints have 10 
requests per hour rate limits. However, multiple endpoints are documented with 
this limit but lack the `@rate_limiter.rate_limit` decorator in their 
implementation: `/api/key/delete`, `/api/distribute/record_from_workflow`, 
`/api/distribute/task/status`. This creates false confidence in the security 
posture. Authenticated users can call these endpoints up to 500 times per hour 
(API-wide limit) instead of the documented 10 times per hour.
   
   ### Details
   **Affected Files and Lines:**
   - `atr/api/__init__.py:~390-420` - key_delete without rate limit
   - `atr/api/__init__.py:~270` - distribution_record_from_workflow without 
rate limit
   - `atr/api/__init__.py:~540` - update_distribution_task_status without rate 
limit
   - `security/ASVS/audit_guidance/authentication-security.md` - Documentation 
with rate limits
   
   The documentation promises 10 requests/hour but the implementation allows 
500 requests/hour, creating a 50x gap between documented and actual behavior.
   
   ### Recommended Remediation
   Add `@rate_limiter.rate_limit(10, datetime.timedelta(hours=1))` decorator to 
all three endpoints:
   
   ```python
   @rate_limiter.rate_limit(10, datetime.timedelta(hours=1))
   async def key_delete(...):
       ...
   
   @rate_limiter.rate_limit(10, datetime.timedelta(hours=1))
   async def distribution_record_from_workflow(...):
       ...
   
   @rate_limiter.rate_limit(10, datetime.timedelta(hours=1))
   async def update_distribution_task_status(...):
       ...
   ```
   
   ### Acceptance Criteria
   - [ ] Rate limit decorator added to key_delete
   - [ ] Rate limit decorator added to distribution_record_from_workflow
   - [ ] Rate limit decorator added to update_distribution_task_status
   - [ ] Implementation matches documentation
   - [ ] Integration test verifies enforcement
   - [ ] Unit test verifying the fix
   
   ### References
   - Source reports: L1:6.1.1.md, L1:6.3.1.md
   - Related findings: FINDING-124
   - ASVS sections: 6.1.1, 6.3.1
   
   ### Priority
   High
   
   ---


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to