mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

style: improve descriptions in notary verifier (#8444)

Browse source 
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
This commit is contained in:
Vishal Choudhary 2023-09-18 23:39:48 +05:30 committed by GitHub
parent 427806f061
commit b6c959bfac
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 4 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
pkg/notary/notary.go
View file

@ -167,7 +167,7 @@ func (v *notaryVerifier) FetchAttestations(ctx context.Context, opts images.Opti
return nil, err
}
// See: https://github.com/kyverno/kyverno/security/advisories/GHSA-9g37-h7p2-2c6r
// This check ensures that the manifest does not have an abnormal amount of referrers attached to it to protect against compromised images
if len(referrersDescs.Manifests) > maxReferrersCount {
return nil, fmt.Errorf("failed to fetch referrers: to many referrers found, max limit is %d", maxReferrersCount)
}
@ -318,7 +318,7 @@ func extractStatement(ctx context.Context, repoRef name.Reference, desc v1.Descr
}
predicateDesc := manifest.Layers[0]
// See: https://github.com/kyverno/kyverno/security/advisories/GHSA-wc3x-5rfv-hh5v
// This check ensures that the size of a layer isn't abnormally large to avoid malicious payloads
if predicateDesc.Size > int64(maxPayloadSize) {
return nil, fmt.Errorf("payload size is too large, max size is %d: %+v", maxPayloadSize, predicateDesc)
}

4
pkg/notary/repository.go
View file

@ -50,7 +50,7 @@ func (c *repositoryClient) ListSignatures(ctx context.Context, desc ocispec.Desc
return err
}
// See: https://github.com/kyverno/kyverno/security/advisories/GHSA-hjpv-68f4-2262
// This check ensures that the manifest does not have an abnormal amount of referrers attached to it to protect against compromised images
if len(referrersDescs.Manifests) > maxReferrersCount {
return fmt.Errorf("failed to fetch referrers: to many referrers found, max limit is %d", maxReferrersCount)
}
@ -86,7 +86,7 @@ func (c *repositoryClient) FetchSignatureBlob(ctx context.Context, desc ocispec.
}
manifestDesc := manifest.Layers[0]
// See: https://github.com/kyverno/kyverno/security/advisories/GHSA-4mp4-46gq-hv3r
// This check ensures that the size of a layer isn't abnormally large to avoid malicious payloads
if manifestDesc.Size > int64(maxPayloadSize) {
return nil, ocispec.Descriptor{}, fmt.Errorf("payload size is too large, max size is %d: %+v", maxPayloadSize, manifestDesc)
}