Limit the read length of ioutil.ReadAll in pkg/kubelet and pkg/probe

Signed-off-by: Haiyan Meng <haiyanmeng@google.com>
2019-04-12 11:52:04 -07:00
parent 3e0fe89e3c
commit 1f270ef4e2
12 changed files with 35 additions and 10 deletions
--- a/pkg/probe/http/BUILD
+++ b/pkg/probe/http/BUILD
@@ -15,6 +15,7 @@ go_library(
        "//pkg/version:go_default_library",
        "//staging/src/k8s.io/apimachinery/pkg/util/net:go_default_library",
        "//vendor/k8s.io/klog:go_default_library",
+        "//vendor/k8s.io/utils/io:go_default_library",
    ],
 )

--- a/pkg/probe/http/http.go
+++ b/pkg/probe/http/http.go
@@ -20,7 +20,6 @@ import (
 	"crypto/tls"
 	"errors"
 	"fmt"
-	"io/ioutil"
 	"net/http"
 	"net/url"
 	"time"
@@ -30,6 +29,11 @@ import (
 	"k8s.io/kubernetes/pkg/version"

 	"k8s.io/klog"
+	utilio "k8s.io/utils/io"
+)
+
+const (
+	maxRespBodyLength = 10 * 1 << 10 // 10KB
 )

 // New creates Prober that will skip TLS verification while probing.
@@ -107,7 +111,7 @@ func DoHTTPProbe(url *url.URL, headers http.Header, client GetHTTPInterface) (pr
 		return probe.Failure, err.Error(), nil
 	}
 	defer res.Body.Close()
-	b, err := ioutil.ReadAll(res.Body)
+	b, err := utilio.ReadAtMost(res.Body, maxRespBodyLength)
 	if err != nil {
 		return probe.Failure, "", err
 	}