Skip to content

Commit c1bcabb

Browse files
authored
Merge pull request from GHSA-5ffw-gxpp-mxpf
Limit the response size of ExecSync
2 parents 8bf5995 + 40aa4f3 commit c1bcabb

File tree

2 files changed

+95
-2
lines changed

2 files changed

+95
-2
lines changed

Diff for: pkg/cri/server/container_execsync.go

+43-2
Original file line numberDiff line numberDiff line change
@@ -38,14 +38,55 @@ import (
3838
cioutil "github.com/containerd/containerd/pkg/ioutil"
3939
)
4040

41+
type cappedWriter struct {
42+
w io.WriteCloser
43+
remain int
44+
}
45+
46+
func (cw *cappedWriter) Write(p []byte) (int, error) {
47+
if cw.remain <= 0 {
48+
return len(p), nil
49+
}
50+
51+
end := cw.remain
52+
if end > len(p) {
53+
end = len(p)
54+
}
55+
written, err := cw.w.Write(p[0:end])
56+
cw.remain -= written
57+
58+
if err != nil {
59+
return written, err
60+
}
61+
return len(p), nil
62+
}
63+
64+
func (cw *cappedWriter) Close() error {
65+
return cw.w.Close()
66+
}
67+
68+
func (cw *cappedWriter) isFull() bool {
69+
return cw.remain <= 0
70+
}
71+
4172
// ExecSync executes a command in the container, and returns the stdout output.
4273
// If command exits with a non-zero exit code, an error is returned.
4374
func (c *criService) ExecSync(ctx context.Context, r *runtime.ExecSyncRequest) (*runtime.ExecSyncResponse, error) {
75+
const maxStreamSize = 1024 * 1024 * 16
76+
4477
var stdout, stderr bytes.Buffer
78+
79+
// cappedWriter truncates the output. In that case, the size of
80+
// the ExecSyncResponse will hit the CRI plugin's gRPC response limit.
81+
// Thus the callers outside of the containerd process (e.g. Kubelet) never see
82+
// the truncated output.
83+
cout := &cappedWriter{w: cioutil.NewNopWriteCloser(&stdout), remain: maxStreamSize}
84+
cerr := &cappedWriter{w: cioutil.NewNopWriteCloser(&stderr), remain: maxStreamSize}
85+
4586
exitCode, err := c.execInContainer(ctx, r.GetContainerId(), execOptions{
4687
cmd: r.GetCmd(),
47-
stdout: cioutil.NewNopWriteCloser(&stdout),
48-
stderr: cioutil.NewNopWriteCloser(&stderr),
88+
stdout: cout,
89+
stderr: cerr,
4990
timeout: time.Duration(r.GetTimeout()) * time.Second,
5091
})
5192
if err != nil {

Diff for: pkg/cri/server/container_execsync_test.go

+52
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
/*
2+
Copyright The containerd Authors.
3+
4+
Licensed under the Apache License, Version 2.0 (the "License");
5+
you may not use this file except in compliance with the License.
6+
You may obtain a copy of the License at
7+
8+
http://www.apache.org/licenses/LICENSE-2.0
9+
10+
Unless required by applicable law or agreed to in writing, software
11+
distributed under the License is distributed on an "AS IS" BASIS,
12+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13+
See the License for the specific language governing permissions and
14+
limitations under the License.
15+
*/
16+
17+
package server
18+
19+
import (
20+
"bytes"
21+
"testing"
22+
23+
cioutil "github.com/containerd/containerd/pkg/ioutil"
24+
"github.com/stretchr/testify/assert"
25+
)
26+
27+
func TestCWWrite(t *testing.T) {
28+
var buf bytes.Buffer
29+
cw := &cappedWriter{w: cioutil.NewNopWriteCloser(&buf), remain: 10}
30+
31+
n, err := cw.Write([]byte("hello"))
32+
assert.NoError(t, err)
33+
assert.Equal(t, 5, n)
34+
35+
n, err = cw.Write([]byte("helloworld"))
36+
assert.NoError(t, err, "no errors even it hits the cap")
37+
assert.Equal(t, 10, n, "no indication of partial write")
38+
assert.True(t, cw.isFull())
39+
assert.Equal(t, []byte("hellohello"), buf.Bytes(), "the underlying writer is capped")
40+
41+
_, err = cw.Write([]byte("world"))
42+
assert.NoError(t, err)
43+
assert.True(t, cw.isFull())
44+
assert.Equal(t, []byte("hellohello"), buf.Bytes(), "the underlying writer is capped")
45+
}
46+
47+
func TestCWClose(t *testing.T) {
48+
var buf bytes.Buffer
49+
cw := &cappedWriter{w: cioutil.NewNopWriteCloser(&buf), remain: 5}
50+
err := cw.Close()
51+
assert.NoError(t, err)
52+
}

0 commit comments

Comments
 (0)