github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-07 11:13:48 +00:00
Code Issues Projects Releases Wiki Activity

Only check caller-controlled attribute size for max cache key

Browse Source
This commit is contained in:
Tim Allclair 2019-01-03 13:33:59 -08:00
parent ea1b4eb239
commit e23c15a0f3
1 changed files with 12 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
staging/src/k8s.io/apiserver/plugin/pkg/authorizer/webhook/webhook.go
View File

@ -200,7 +200,7 @@ func (w *WebhookAuthorizer) Authorize(attr authorizer.Attributes) (decision auth
if r.Status.Allowed {
w.responseCache.Add(string(key), r.Status, w.authorizedTTL)
} else {
if len(key) <= maxUnauthorizedCachedKeySize {
if callerControlledAttributeSize(attr) < maxUnauthorizedCachedKeySize {
w.responseCache.Add(string(key), r.Status, w.unauthorizedTTL)
}
}
@ -268,3 +268,14 @@ func (t *subjectAccessReviewClient) Create(subjectAccessReview *authorization.Su
err := t.w.RestClient.Post().Body(subjectAccessReview).Do().Into(result)
return result, err
}
func callerControlledAttributeSize(attr authorizer.Attributes) int64 {
return int64(len(attr.GetNamespace())) +
int64(len(attr.GetVerb())) +
int64(len(attr.GetAPIGroup())) +
int64(len(attr.GetAPIVersion())) +
int64(len(attr.GetResource())) +
int64(len(attr.GetSubresource())) +
int64(len(attr.GetName())) +
int64(len(attr.GetPath()))
}