mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-05 07:26:55 +00:00
Check layer size (#8552)
* fix excessive logs Signed-off-by: Jim Bugwadia <jim@nirmata.com> * check fetched layer size Signed-off-by: Jim Bugwadia <jim@nirmata.com> * check sig layer size Signed-off-by: Jim Bugwadia <jim@nirmata.com> --------- Signed-off-by: Jim Bugwadia <jim@nirmata.com>
This commit is contained in:
parent
27858f634e
commit
2fe07f694e
2 changed files with 32 additions and 11 deletions
|
@ -27,7 +27,7 @@ import (
|
|||
|
||||
var (
|
||||
maxReferrersCount = 50
|
||||
maxPayloadSize = 10 * 1000 * 1000 // 10 MB
|
||||
maxPayloadSize = int64(10 * 1000 * 1000) // 10 MB
|
||||
)
|
||||
|
||||
func NewVerifier() images.ImageVerifier {
|
||||
|
@ -310,28 +310,38 @@ func extractStatement(ctx context.Context, repoRef name.Reference, desc v1.Descr
|
|||
if err := json.Unmarshal(manifestBytes, &manifest); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if len(manifest.Layers) == 0 {
|
||||
return nil, fmt.Errorf("no predicate found: %+v", manifest)
|
||||
}
|
||||
if len(manifest.Layers) > 1 {
|
||||
return nil, fmt.Errorf("multiple layers in predicate not supported: %+v", manifest)
|
||||
}
|
||||
predicateDesc := manifest.Layers[0]
|
||||
|
||||
// This check ensures that the size of a layer isn't abnormally large to avoid malicious payloads
|
||||
if predicateDesc.Size > int64(maxPayloadSize) {
|
||||
return nil, fmt.Errorf("payload size is too large, max size is %d: %+v", maxPayloadSize, predicateDesc)
|
||||
predicateDesc := manifest.Layers[0]
|
||||
digest := predicateDesc.Digest.String()
|
||||
if predicateDesc.Size > maxPayloadSize {
|
||||
return nil, fmt.Errorf("predicate size %d exceeds %d for digest %s", predicateDesc.Size, maxPayloadSize, digest)
|
||||
}
|
||||
|
||||
layer, err := gcrremote.Layer(ref.Context().Digest(predicateDesc.Digest.String()), remoteOpts...)
|
||||
layer, err := gcrremote.Layer(ref.Context().Digest(digest), remoteOpts...)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
layerSize, err := layer.Size()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if layerSize > maxPayloadSize {
|
||||
return nil, fmt.Errorf("layer size %d exceeds %d for digest %s", layerSize, maxPayloadSize, digest)
|
||||
}
|
||||
|
||||
ioPredicate, err := layer.Uncompressed()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
predicateBytes := new(bytes.Buffer)
|
||||
_, err = predicateBytes.ReadFrom(ioPredicate)
|
||||
if err != nil {
|
||||
|
@ -342,17 +352,18 @@ func extractStatement(ctx context.Context, repoRef name.Reference, desc v1.Descr
|
|||
if err := json.Unmarshal(predicateBytes.Bytes(), &predicate); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
data := make(map[string]interface{})
|
||||
if err := json.Unmarshal(manifestBytes, &data); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if data["type"] == nil {
|
||||
data["type"] = desc.ArtifactType
|
||||
}
|
||||
if data["predicate"] == nil {
|
||||
data["predicate"] = predicate
|
||||
}
|
||||
|
||||
return data, nil
|
||||
}
|
||||
|
||||
|
|
|
@ -87,8 +87,8 @@ func (c *repositoryClient) FetchSignatureBlob(ctx context.Context, desc ocispec.
|
|||
manifestDesc := manifest.Layers[0]
|
||||
|
||||
// This check ensures that the size of a layer isn't abnormally large to avoid malicious payloads
|
||||
if manifestDesc.Size > int64(maxPayloadSize) {
|
||||
return nil, ocispec.Descriptor{}, fmt.Errorf("payload size is too large, max size is %d: %+v", maxPayloadSize, manifestDesc)
|
||||
if manifestDesc.Size > maxPayloadSize {
|
||||
return nil, ocispec.Descriptor{}, fmt.Errorf("payload size %d exceeds %d for digest %s", manifestDesc.Size, maxPayloadSize, manifestDesc.Digest)
|
||||
}
|
||||
|
||||
signatureBlobRef, err := name.ParseReference(c.getReferenceFromDescriptor(manifestDesc))
|
||||
|
@ -96,11 +96,21 @@ func (c *repositoryClient) FetchSignatureBlob(ctx context.Context, desc ocispec.
|
|||
return nil, ocispec.Descriptor{}, err
|
||||
}
|
||||
|
||||
signatureBlobLayer, err := remote.Layer(signatureBlobRef.Context().Digest(signatureBlobRef.Identifier()), c.remoteOpts...)
|
||||
digest := signatureBlobRef.Identifier()
|
||||
signatureBlobLayer, err := remote.Layer(signatureBlobRef.Context().Digest(digest), c.remoteOpts...)
|
||||
if err != nil {
|
||||
return nil, ocispec.Descriptor{}, err
|
||||
}
|
||||
|
||||
signatureBlobLayerSize, err := signatureBlobLayer.Size()
|
||||
if err != nil {
|
||||
return nil, ocispec.Descriptor{}, err
|
||||
}
|
||||
|
||||
if signatureBlobLayerSize > maxPayloadSize {
|
||||
return nil, ocispec.Descriptor{}, fmt.Errorf("layer size %d exceeds %d for digest %s", signatureBlobLayerSize, maxPayloadSize, digest)
|
||||
}
|
||||
|
||||
io, err := signatureBlobLayer.Uncompressed()
|
||||
if err != nil {
|
||||
return nil, ocispec.Descriptor{}, err
|
||||
|
|
Loading…
Add table
Reference in a new issue