Limit the read length of ioutil.ReadAll in pkg/credentialprovider
Signed-off-by: Haiyan Meng <haiyanmeng@google.com>
This commit is contained in:
Haiyan Meng
@@ -47,7 +47,9 @@ package azure
|
||||
import (
|
||||
"bytes"
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
"io"
|
||||
"io/ioutil"
|
||||
"net/http"
|
||||
"net/url"
|
||||
@@ -178,10 +180,15 @@ func performTokenExchange(
|
||||
}
|
||||
|
||||
var content []byte
|
||||
if content, err = ioutil.ReadAll(exchange.Body); err != nil {
|
||||
limitedReader := &io.LimitedReader{R: exchange.Body, N: maxReadLength}
|
||||
if content, err = ioutil.ReadAll(limitedReader); err != nil {
|
||||
return "", fmt.Errorf("Www-Authenticate: error reading response from %s", authEndpoint)
|
||||
}
|
||||
|
||||
if limitedReader.N <= 0 {
|
||||
return "", errors.New("the read limit is reached")
|
||||
}
|
||||
|
||||
var authResp acrAuthResponse
|
||||
if err = json.Unmarshal(content, &authResp); err != nil {
|
||||
return "", fmt.Errorf("Www-Authenticate: unable to read response %s", content)
|
||||
|
||||
@@ -18,6 +18,7 @@ package azure
|
||||
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
"io"
|
||||
"io/ioutil"
|
||||
"os"
|
||||
@@ -38,7 +39,10 @@ import (
|
||||
var flagConfigFile = pflag.String("azure-container-registry-config", "",
|
||||
"Path to the file containing Azure container registry configuration information.")
|
||||
|
||||
const dummyRegistryEmail = "name@contoso.com"
|
||||
const (
|
||||
dummyRegistryEmail = "name@contoso.com"
|
||||
maxReadLength = 10 * 1 << 20 // 10MB
|
||||
)
|
||||
|
||||
var containerRegistryUrls = []string{"*.azurecr.io", "*.azurecr.cn", "*.azurecr.de", "*.azurecr.us"}
|
||||
|
||||
@@ -117,10 +121,14 @@ func parseConfig(configReader io.Reader) (*auth.AzureAuthConfig, error) {
|
||||
return &config, nil
|
||||
}
|
||||
|
||||
configContents, err := ioutil.ReadAll(configReader)
|
||||
limitedReader := &io.LimitedReader{R: configReader, N: maxReadLength}
|
||||
configContents, err := ioutil.ReadAll(limitedReader)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if limitedReader.N <= 0 {
|
||||
return nil, errors.New("the read limit is reached")
|
||||
}
|
||||
err = yaml.Unmarshal(configContents, &config)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
||||
@@ -19,7 +19,9 @@ package credentialprovider
|
||||
import (
|
||||
"encoding/base64"
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
"io"
|
||||
"io/ioutil"
|
||||
"net/http"
|
||||
"os"
|
||||
@@ -30,6 +32,10 @@ import (
|
||||
"k8s.io/klog"
|
||||
)
|
||||
|
||||
const (
|
||||
maxReadLength = 10 * 1 << 20 // 10MB
|
||||
)
|
||||
|
||||
// DockerConfigJson represents ~/.docker/config.json file info
|
||||
// see https://github.com/docker/docker/pull/12009
|
||||
type DockerConfigJson struct {
|
||||
@@ -195,11 +201,16 @@ func ReadUrl(url string, client *http.Client, header *http.Header) (body []byte,
|
||||
}
|
||||
}
|
||||
|
||||
contents, err := ioutil.ReadAll(resp.Body)
|
||||
limitedReader := &io.LimitedReader{R: resp.Body, N: maxReadLength}
|
||||
contents, err := ioutil.ReadAll(limitedReader)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if limitedReader.N <= 0 {
|
||||
return nil, errors.New("the read limit is reached")
|
||||
}
|
||||
|
||||
return contents, nil
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user