github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Limit the read length of ioutil.ReadAll in pkg/kubelet and pkg/probe

Browse Source 
Signed-off-by: Haiyan Meng <haiyanmeng@google.com>
This commit is contained in:
Haiyan Meng 2019-04-12 11:52:04 -07:00
parent 3e0fe89e3c
commit 1f270ef4e2
No known key found for this signature in database
GPG Key ID: BB0B10153E44E472
12 changed files with 35 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
pkg/kubelet/cm/BUILD
View File

@ -88,6 +88,7 @@ go_library(
"//vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs:go_default_library", "//vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs:go_default_library",
"//vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd:go_default_library", "//vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd:go_default_library",
"//vendor/github.com/opencontainers/runc/libcontainer/configs:go_default_library", "//vendor/github.com/opencontainers/runc/libcontainer/configs:go_default_library",
"//vendor/k8s.io/utils/io:go_default_library",
"//vendor/k8s.io/utils/path:go_default_library", "//vendor/k8s.io/utils/path:go_default_library",
], ],
"@io_bazel_rules_go//go/platform:nacl": [ "@io_bazel_rules_go//go/platform:nacl": [

4
pkg/kubelet/cm/container_manager_linux.go
View File

@ -61,6 +61,7 @@ import (
"k8s.io/kubernetes/pkg/util/oom" "k8s.io/kubernetes/pkg/util/oom"
"k8s.io/kubernetes/pkg/util/procfs" "k8s.io/kubernetes/pkg/util/procfs"
utilsysctl "k8s.io/kubernetes/pkg/util/sysctl" utilsysctl "k8s.io/kubernetes/pkg/util/sysctl"
utilio "k8s.io/utils/io"
utilpath "k8s.io/utils/path" utilpath "k8s.io/utils/path"
) )
@ -76,6 +77,7 @@ const (
dockerPidFile = "/var/run/docker.pid" dockerPidFile = "/var/run/docker.pid"
containerdProcessName = "docker-containerd" containerdProcessName = "docker-containerd"
containerdPidFile = "/run/docker/libcontainerd/docker-containerd.pid" containerdPidFile = "/run/docker/libcontainerd/docker-containerd.pid"
maxPidFileLength = 1 << 10 // 1KB
) )
var ( var (
@ -682,7 +684,7 @@ func getPidFromPidFile(pidFile string) (int, error) {
} }
defer file.Close() defer file.Close()
data, err := ioutil.ReadAll(file) data, err := utilio.ReadAtMost(file, maxPidFileLength)
if err != nil { if err != nil {
return 0, fmt.Errorf("error reading pid file %s: %v", pidFile, err) return 0, fmt.Errorf("error reading pid file %s: %v", pidFile, err)
} }

1
pkg/kubelet/config/BUILD
View File

@ -45,6 +45,7 @@ go_library(
"//staging/src/k8s.io/client-go/tools/record:go_default_library", "//staging/src/k8s.io/client-go/tools/record:go_default_library",
"//vendor/github.com/spf13/pflag:go_default_library", "//vendor/github.com/spf13/pflag:go_default_library",
"//vendor/k8s.io/klog:go_default_library", "//vendor/k8s.io/klog:go_default_library",
"//vendor/k8s.io/utils/io:go_default_library",
] + select({ ] + select({
"@io_bazel_rules_go//go/platform:linux": [ "@io_bazel_rules_go//go/platform:linux": [
"//staging/src/k8s.io/client-go/util/flowcontrol:go_default_library", "//staging/src/k8s.io/client-go/util/flowcontrol:go_default_library",

4
pkg/kubelet/config/common.go
View File

@ -43,6 +43,10 @@ import (
"k8s.io/klog" "k8s.io/klog"
) )
const (
maxConfigLength = 10 * 1 << 20 // 10MB
)
// Generate a pod name that is unique among nodes by appending the nodeName. // Generate a pod name that is unique among nodes by appending the nodeName.
func generatePodName(name string, nodeName types.NodeName) string { func generatePodName(name string, nodeName types.NodeName) string {
return fmt.Sprintf("%s-%s", name, strings.ToLower(string(nodeName))) return fmt.Sprintf("%s-%s", name, strings.ToLower(string(nodeName)))

4
pkg/kubelet/config/file.go
View File

@ -19,7 +19,6 @@ package config
import ( import (
"fmt" "fmt"
"io/ioutil"
"os" "os"
"path/filepath" "path/filepath"
"sort" "sort"
@ -33,6 +32,7 @@ import (
"k8s.io/client-go/tools/cache" "k8s.io/client-go/tools/cache"
api "k8s.io/kubernetes/pkg/apis/core" api "k8s.io/kubernetes/pkg/apis/core"
kubetypes "k8s.io/kubernetes/pkg/kubelet/types" kubetypes "k8s.io/kubernetes/pkg/kubelet/types"
utilio "k8s.io/utils/io"
) )
type podEventType int type podEventType int
@ -215,7 +215,7 @@ func (s *sourceFile) extractFromFile(filename string) (pod *v1.Pod, err error) {
} }
defer file.Close() defer file.Close()
data, err := ioutil.ReadAll(file) data, err := utilio.ReadAtMost(file, maxConfigLength)
if err != nil { if err != nil {
return pod, err return pod, err
} }

4
pkg/kubelet/config/http.go
View File

@ -20,7 +20,6 @@ package config
import ( import (
"bytes" "bytes"
"fmt" "fmt"
"io/ioutil"
"net/http" "net/http"
"time" "time"
@ -31,6 +30,7 @@ import (
"k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/types"
"k8s.io/klog" "k8s.io/klog"
utilio "k8s.io/utils/io"
) )
type sourceURL struct { type sourceURL struct {
@ -93,7 +93,7 @@ func (s *sourceURL) extractFromURL() error {
return err return err
} }
defer resp.Body.Close() defer resp.Body.Close()
data, err := ioutil.ReadAll(resp.Body) data, err := utilio.ReadAtMost(resp.Body, maxConfigLength)
if err != nil { if err != nil {
return err return err
} }

1
pkg/kubelet/lifecycle/BUILD
View File

@ -28,6 +28,7 @@ go_library(
"//staging/src/k8s.io/apimachinery/pkg/types:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/types:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/intstr:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/intstr:go_default_library",
"//vendor/k8s.io/klog:go_default_library", "//vendor/k8s.io/klog:go_default_library",
"//vendor/k8s.io/utils/io:go_default_library",
], ],
) )

9
pkg/kubelet/lifecycle/handlers.go
View File

@ -18,7 +18,6 @@ package lifecycle
import ( import (
"fmt" "fmt"
"io/ioutil"
"net" "net"
"net/http" "net/http"
"strconv" "strconv"
@ -31,6 +30,11 @@ import (
kubetypes "k8s.io/kubernetes/pkg/kubelet/types" kubetypes "k8s.io/kubernetes/pkg/kubelet/types"
"k8s.io/kubernetes/pkg/kubelet/util/format" "k8s.io/kubernetes/pkg/kubelet/util/format"
"k8s.io/kubernetes/pkg/security/apparmor" "k8s.io/kubernetes/pkg/security/apparmor"
utilio "k8s.io/utils/io"
)
const (
maxRespBodyLength = 10 * 1 << 10 // 10KB
) )
type HandlerRunner struct { type HandlerRunner struct {
@ -133,7 +137,8 @@ func getHttpRespBody(resp *http.Response) string {
return "" return ""
} }
defer resp.Body.Close() defer resp.Body.Close()
if bytes, err := ioutil.ReadAll(resp.Body); err == nil { bytes, err := utilio.ReadAtMost(resp.Body, maxRespBodyLength)
if err == nil || err == utilio.ErrLimitReached {
return string(bytes) return string(bytes)
} }
return "" return ""

1
pkg/kubelet/network/dns/BUILD
View File

@ -14,6 +14,7 @@ go_library(
"//staging/src/k8s.io/client-go/tools/record:go_default_library", "//staging/src/k8s.io/client-go/tools/record:go_default_library",
"//staging/src/k8s.io/cri-api/pkg/apis/runtime/v1alpha2:go_default_library", "//staging/src/k8s.io/cri-api/pkg/apis/runtime/v1alpha2:go_default_library",
"//vendor/k8s.io/klog:go_default_library", "//vendor/k8s.io/klog:go_default_library",
"//vendor/k8s.io/utils/io:go_default_library",
], ],
) )

7
pkg/kubelet/network/dns/dns.go
View File

@ -34,6 +34,7 @@ import (
"k8s.io/kubernetes/pkg/kubelet/util/format" "k8s.io/kubernetes/pkg/kubelet/util/format"
"k8s.io/klog" "k8s.io/klog"
utilio "k8s.io/utils/io"
) )
var ( var (
@ -49,6 +50,10 @@ const (
podDNSNone podDNSNone
) )
const (
maxResolveConfLength = 10 * 1 << 20 // 10MB
)
// Configurer is used for setting up DNS resolver configuration when launching pods. // Configurer is used for setting up DNS resolver configuration when launching pods.
type Configurer struct { type Configurer struct {
recorder record.EventRecorder recorder record.EventRecorder
@ -193,7 +198,7 @@ func (c *Configurer) CheckLimitsForResolvConf() {
// parseResolvConf reads a resolv.conf file from the given reader, and parses // parseResolvConf reads a resolv.conf file from the given reader, and parses
// it into nameservers, searches and options, possibly returning an error. // it into nameservers, searches and options, possibly returning an error.
func parseResolvConf(reader io.Reader) (nameservers []string, searches []string, options []string, err error) { func parseResolvConf(reader io.Reader) (nameservers []string, searches []string, options []string, err error) {
file, err := ioutil.ReadAll(reader) file, err := utilio.ReadAtMost(reader, maxResolveConfLength)
if err != nil { if err != nil {
return nil, nil, nil, err return nil, nil, nil, err
} }

1
pkg/probe/http/BUILD
View File

@ -15,6 +15,7 @@ go_library(
"//pkg/version:go_default_library", "//pkg/version:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/net:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/net:go_default_library",
"//vendor/k8s.io/klog:go_default_library", "//vendor/k8s.io/klog:go_default_library",
"//vendor/k8s.io/utils/io:go_default_library",
], ],
) )

8
pkg/probe/http/http.go
View File

@ -20,7 +20,6 @@ import (
"crypto/tls" "crypto/tls"
"errors" "errors"
"fmt" "fmt"
"io/ioutil"
"net/http" "net/http"
"net/url" "net/url"
"time" "time"
@ -30,6 +29,11 @@ import (
"k8s.io/kubernetes/pkg/version" "k8s.io/kubernetes/pkg/version"
"k8s.io/klog" "k8s.io/klog"
utilio "k8s.io/utils/io"
)
const (
maxRespBodyLength = 10 * 1 << 10 // 10KB
) )
// New creates Prober that will skip TLS verification while probing. // New creates Prober that will skip TLS verification while probing.
@ -107,7 +111,7 @@ func DoHTTPProbe(url *url.URL, headers http.Header, client GetHTTPInterface) (pr
return probe.Failure, err.Error(), nil return probe.Failure, err.Error(), nil
} }
defer res.Body.Close() defer res.Body.Close()
b, err := ioutil.ReadAll(res.Body) b, err := utilio.ReadAtMost(res.Body, maxRespBodyLength)
if err != nil { if err != nil {
return probe.Failure, "", err return probe.Failure, "", err
} }