cli/context/store: limit decompressed size of TLS files on zip import#7105
Open
UditDewan wants to merge 1 commit into
Open
cli/context/store: limit decompressed size of TLS files on zip import#7105UditDewan wants to merge 1 commit into
UditDewan wants to merge 1 commit into
Conversation
The meta.json entry of an imported zip archive was read through limitedReader, but TLS entries were read with a bare io.ReadAll. Only the compressed archive size was capped, so a crafted zip entry could decompress to many times the allowed import size and exhaust memory. Apply the same size cap to TLS entries, and make limitedReader return its limit error instead of a clean EOF when a read lands exactly on the limit while more data remains, so oversized content fails instead of being silently truncated. Fixes docker#6917 Signed-off-by: uditDewan <udit.dewan21@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
- What I did
Fixed a memory exhaustion issue in
docker context importwith zip archives (fixes #6917).The
meta.jsonentry of an imported zip archive is read throughlimitedReader(10MB cap), buttls/entries were read with a bareio.ReadAll. Only the compressed archive size was capped, so a small crafted zip containing a highly compressible TLS entry could decompress to gigabytes and OOM the CLI.- How I did it
importZipthrough the samelimitedReaderalready used formeta.json.l.N == 0early-EOF branch fromlimitedReader.Read. Without this, content exceeding the limit was silently truncated (instead of rejected) whenever a read landed exactly on the remaining budget — which is deterministic for zip imports, since flate delivers 32KiB chunks that divide the 10MB cap evenly. True end-of-data still returns a cleanio.EOFvia the underlying reader.- How to verify it
New regression tests:
TestImportZipTLSDataTooLarge— imports a zip whose TLS entry inflates past the cap while the archive itself stays well under it, and asserts the import errors.TestLimitReaderReadAllcase usingiotest.OneByteReaderthat lands a read exactly on the limit with data remaining, and asserts the limit error is returned.- Human readable description for the release notes