github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-17 07:39:22 +00:00
Code Issues Projects Releases Wiki Activity

ClusterTrustBundle: Enforce max size during validation

Browse Source
This commit is contained in:
Taahir Ahmed 2023-07-06 23:50:30 -07:00
parent 1ebe5774d0
commit 96e610ac18
3 changed files with 212 additions and 183 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
pkg/apis/certificates/types.go
View File

@ -277,3 +277,6 @@ type ClusterTrustBundleList struct {
// Items is a collection of ClusterTrustBundle objects // Items is a collection of ClusterTrustBundle objects
Items []ClusterTrustBundle Items []ClusterTrustBundle
} }
// MaxTrustBundleSize is the maximimum size of a single trust bundle field.
const MaxTrustBundleSize = 1 * 1024 * 1024

5
pkg/apis/certificates/validation/validation.go
View File

@ -508,6 +508,11 @@ func ValidateClusterTrustBundleUpdate(newBundle, oldBundle *certificates.Cluster
func validateTrustBundle(path *field.Path, in string) field.ErrorList { func validateTrustBundle(path *field.Path, in string) field.ErrorList {
var allErrors field.ErrorList var allErrors field.ErrorList
if len(in) > certificates.MaxTrustBundleSize {
allErrors = append(allErrors, field.TooLong(path, fmt.Sprintf("<value omitted, len %d>", len(in)), certificates.MaxTrustBundleSize))
return allErrors
}
blockDedupe := map[string][]int{} blockDedupe := map[string][]int{}
rest := []byte(in) rest := []byte(in)

25
pkg/apis/certificates/validation/validation_test.go
View File

@ -1104,12 +1104,18 @@ func TestValidateClusterTrustBundle(t *testing.T) {
badBlockTypeBlock := string(mustMakePEMBlock("NOTACERTIFICATE", nil, goodCert1)) badBlockTypeBlock := string(mustMakePEMBlock("NOTACERTIFICATE", nil, goodCert1))
badNonParseableBlock := string(mustMakePEMBlock("CERTIFICATE", nil, []byte("this is not a certificate"))) badNonParseableBlock := string(mustMakePEMBlock("CERTIFICATE", nil, []byte("this is not a certificate")))
badTooBigBundle := ""
for i := 0; i < (core.MaxSecretSize/len(goodCert1Block))+1; i++ {
badTooBigBundle += goodCert1Block + "\n"
}
testCases := []struct { testCases := []struct {
description string description string
bundle *capi.ClusterTrustBundle bundle *capi.ClusterTrustBundle
opts ValidateClusterTrustBundleOptions opts ValidateClusterTrustBundleOptions
wantErrors field.ErrorList wantErrors field.ErrorList
}{{ }{
{
description: "valid, no signer name", description: "valid, no signer name",
bundle: &capi.ClusterTrustBundle{ bundle: &capi.ClusterTrustBundle{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
@ -1119,7 +1125,22 @@ func TestValidateClusterTrustBundle(t *testing.T) {
TrustBundle: goodCert1Block, TrustBundle: goodCert1Block,
}, },
}, },
}, { },
{
description: "invalid, too big",
bundle: &capi.ClusterTrustBundle{
ObjectMeta: metav1.ObjectMeta{
Name: "foo",
},
Spec: capi.ClusterTrustBundleSpec{
TrustBundle: badTooBigBundle,
},
},
wantErrors: field.ErrorList{
field.TooLong(field.NewPath("spec", "trustBundle"), fmt.Sprintf("<value omitted, len %d>", len(badTooBigBundle)), core.MaxSecretSize),
},
},
{
description: "invalid, no signer name, invalid name", description: "invalid, no signer name, invalid name",
bundle: &capi.ClusterTrustBundle{ bundle: &capi.ClusterTrustBundle{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{