registry/{storage,handlers}: limit content sizes
Under certain circumstances, the use of `StorageDriver.GetContent` can result in unbounded memory allocations. In particualr, this happens when accessing a layer through the manifests endpoint. This problem is mitigated by setting a 4MB limit when using to access content that may have been accepted from a user. In practice, this means setting the limit with the use of `BlobProvider.Get` by wrapping `StorageDriver.GetContent` in a helper that uses `StorageDriver.Reader` with a `limitReader` that returns an error. When mitigating this security issue, we also noticed that the size of manifests uploaded to the registry is also unlimited. We apply similar logic to the request body of payloads that are full buffered. Signed-off-by: Stephen J Day <stephen.day@docker.com>
This commit is contained in:
Stephen J Day
@@ -27,7 +27,7 @@ func (bs *blobStore) Get(ctx context.Context, dgst digest.Digest) ([]byte, error
|
||||
return nil, err
|
||||
}
|
||||
|
||||
p, err := bs.driver.GetContent(ctx, bp)
|
||||
p, err := getContent(ctx, bs.driver, bp)
|
||||
if err != nil {
|
||||
switch err.(type) {
|
||||
case driver.PathNotFoundError:
|
||||
@@ -37,7 +37,7 @@ func (bs *blobStore) Get(ctx context.Context, dgst digest.Digest) ([]byte, error
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return p, err
|
||||
return p, nil
|
||||
}
|
||||
|
||||
func (bs *blobStore) Open(ctx context.Context, dgst digest.Digest) (distribution.ReadSeekCloser, error) {
|
||||
|
||||
71
registry/storage/io.go
Normal file
71
registry/storage/io.go
Normal file
@@ -0,0 +1,71 @@
|
||||
package storage
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"io"
|
||||
"io/ioutil"
|
||||
|
||||
"github.com/docker/distribution/context"
|
||||
"github.com/docker/distribution/registry/storage/driver"
|
||||
)
|
||||
|
||||
const (
|
||||
maxBlobGetSize = 4 << 20
|
||||
)
|
||||
|
||||
func getContent(ctx context.Context, driver driver.StorageDriver, p string) ([]byte, error) {
|
||||
r, err := driver.Reader(ctx, p, 0)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return readAllLimited(r, maxBlobGetSize)
|
||||
}
|
||||
|
||||
func readAllLimited(r io.Reader, limit int64) ([]byte, error) {
|
||||
r = limitReader(r, limit)
|
||||
return ioutil.ReadAll(r)
|
||||
}
|
||||
|
||||
// limitReader returns a new reader limited to n bytes. Unlike io.LimitReader,
|
||||
// this returns an error when the limit reached.
|
||||
func limitReader(r io.Reader, n int64) io.Reader {
|
||||
return &limitedReader{r: r, n: n}
|
||||
}
|
||||
|
||||
// limitedReader implements a reader that errors when the limit is reached.
|
||||
//
|
||||
// Partially cribbed from net/http.MaxBytesReader.
|
||||
type limitedReader struct {
|
||||
r io.Reader // underlying reader
|
||||
n int64 // max bytes remaining
|
||||
err error // sticky error
|
||||
}
|
||||
|
||||
func (l *limitedReader) Read(p []byte) (n int, err error) {
|
||||
if l.err != nil {
|
||||
return 0, l.err
|
||||
}
|
||||
if len(p) == 0 {
|
||||
return 0, nil
|
||||
}
|
||||
// If they asked for a 32KB byte read but only 5 bytes are
|
||||
// remaining, no need to read 32KB. 6 bytes will answer the
|
||||
// question of the whether we hit the limit or go past it.
|
||||
if int64(len(p)) > l.n+1 {
|
||||
p = p[:l.n+1]
|
||||
}
|
||||
n, err = l.r.Read(p)
|
||||
|
||||
if int64(n) <= l.n {
|
||||
l.n -= int64(n)
|
||||
l.err = err
|
||||
return n, err
|
||||
}
|
||||
|
||||
n = int(l.n)
|
||||
l.n = 0
|
||||
|
||||
l.err = errors.New("storage: read exceeds limit")
|
||||
return n, l.err
|
||||
}
|
||||
Reference in New Issue
Block a user