containers
/
storage
mirror of https://github.com/containers/storage.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

chunked: refactor value into const 

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
This commit is contained in:
Giuseppe Scrivano 2024-11-07 15:18:07 +01:00
parent dcdc061f21
commit 1f54749ea9
No known key found for this signature in database
GPG Key ID: 67E38F7A8BA21772
2 changed files with 23 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
pkg/chunked/compression_linux.go
View File

@ -20,6 +20,12 @@ import (
expMaps "golang.org/x/exp/maps" expMaps "golang.org/x/exp/maps"
) )
const (
// maxTocSize is the maximum size of a blob that we will attempt to process.
// It is used to prevent DoS attacks from layers that embed a very large TOC file.
maxTocSize = (1 << 20) * 50
)
var typesToTar = map[string]byte{ var typesToTar = map[string]byte{
TypeReg: tar.TypeReg, TypeReg: tar.TypeReg,
TypeLink: tar.TypeLink, TypeLink: tar.TypeLink,
@ -77,7 +83,7 @@ func readEstargzChunkedManifest(blobStream ImageSourceSeekable, blobSize int64,
size := int64(blobSize - footerSize - tocOffset) size := int64(blobSize - footerSize - tocOffset)
// set a reasonable limit // set a reasonable limit
if size > (1<<20)*50 { if size > maxTocSize {
return nil, 0, errors.New("manifest too big") return nil, 0, errors.New("manifest too big")
} }
@ -106,7 +112,7 @@ func readEstargzChunkedManifest(blobStream ImageSourceSeekable, blobSize int64,
return err return err
} }
// set a reasonable limit // set a reasonable limit
if header.Size > (1<<20)*50 { if header.Size > maxTocSize {
return errors.New("manifest too big") return errors.New("manifest too big")
} }
@ -166,10 +172,10 @@ func readZstdChunkedManifest(blobStream ImageSourceSeekable, tocDigest digest.Di
} }
// set a reasonable limit // set a reasonable limit
if manifestChunk.Length > (1<<20)*50 { if manifestChunk.Length > maxTocSize {
return nil, nil, nil, 0, errors.New("manifest too big") return nil, nil, nil, 0, errors.New("manifest too big")
} }
if manifestLengthUncompressed > (1<<20)*50 { if manifestLengthUncompressed > maxTocSize {
return nil, nil, nil, 0, errors.New("manifest too big") return nil, nil, nil, 0, errors.New("manifest too big")
} }

17
pkg/chunked/storage_linux_test.go
View File

@ -128,7 +128,11 @@ func TestGetBlobAtWithErrors(t *testing.T) {
is := &mockImageSource{streams: streams, errors: errorsC} is := &mockImageSource{streams: streams, errors: errorsC}
resultChan, err := getBlobAt(is) chunks := []ImageSourceChunk{
{Offset: 0, Length: 1},
{Offset: 1, Length: 1},
}
resultChan, err := getBlobAt(is, chunks...)
require.NoError(t, err) require.NoError(t, err)
expectedErrors := []string{"error1", "error2"} expectedErrors := []string{"error1", "error2"}
@ -149,13 +153,18 @@ func TestGetBlobAtMixedStreamsAndErrors(t *testing.T) {
errorsC := make(chan error, 1) errorsC := make(chan error, 1)
streams <- mockReadCloserFromContent("stream1") streams <- mockReadCloserFromContent("stream1")
streams <- mockReadCloserFromContent("stream2")
errorsC <- errors.New("error1") errorsC <- errors.New("error1")
close(streams) close(streams)
close(errorsC) close(errorsC)
is := &mockImageSource{streams: streams, errors: errorsC} is := &mockImageSource{streams: streams, errors: errorsC}
resultChan, err := getBlobAt(is) chunks := []ImageSourceChunk{
{Offset: 0, Length: 1},
{Offset: 1, Length: 1},
}
resultChan, err := getBlobAt(is, chunks...)
require.NoError(t, err) require.NoError(t, err)
var receivedStreams int var receivedStreams int
@ -167,6 +176,6 @@ func TestGetBlobAtMixedStreamsAndErrors(t *testing.T) {
receivedStreams++ receivedStreams++
} }
} }
assert.Equal(t, 0, receivedStreams) assert.Equal(t, 2, receivedStreams)
assert.Equal(t, 2, receivedErrors) assert.Equal(t, 1, receivedErrors)
} }