github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-08 11:38:15 +00:00
Code Issues Projects Releases Wiki Activity

Only check caller-controlled attribute size for max cache key

Browse Source
This commit is contained in:
Tim Allclair 2019-01-03 13:33:59 -08:00
parent ea1b4eb239
commit e23c15a0f3
1 changed files with 12 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
staging/src/k8s.io/apiserver/plugin/pkg/authorizer/webhook/webhook.go
View File

@ -200,7 +200,7 @@ func (w *WebhookAuthorizer) Authorize(attr authorizer.Attributes) (decision auth
if r.Status.Allowed { if r.Status.Allowed {
w.responseCache.Add(string(key), r.Status, w.authorizedTTL) w.responseCache.Add(string(key), r.Status, w.authorizedTTL)
} else { } else {
if len(key) <= maxUnauthorizedCachedKeySize { if callerControlledAttributeSize(attr) < maxUnauthorizedCachedKeySize {
w.responseCache.Add(string(key), r.Status, w.unauthorizedTTL) w.responseCache.Add(string(key), r.Status, w.unauthorizedTTL)
} }
} }
@ -268,3 +268,14 @@ func (t *subjectAccessReviewClient) Create(subjectAccessReview *authorization.Su
err := t.w.RestClient.Post().Body(subjectAccessReview).Do().Into(result) err := t.w.RestClient.Post().Body(subjectAccessReview).Do().Into(result)
return result, err return result, err
} }
func callerControlledAttributeSize(attr authorizer.Attributes) int64 {
return int64(len(attr.GetNamespace())) +
int64(len(attr.GetVerb())) +
int64(len(attr.GetAPIGroup())) +
int64(len(attr.GetAPIVersion())) +
int64(len(attr.GetResource())) +
int64(len(attr.GetSubresource())) +
int64(len(attr.GetName())) +
int64(len(attr.GetPath()))
}