Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

limit yaml/json decode size #83261

Merged
merged 2 commits into from Oct 3, 2019

Conversation

@liggitt
Copy link
Member

liggitt commented Sep 27, 2019

What type of PR is this?
/kind bug

What this PR does / why we need it:
Fixes resource exhaustion issues in json and yaml parsers

Which issue(s) this PR fixes:
Fixes #83253

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

Fixes a flaw (CVE-2019-11253) in json/yaml decoding where large or malformed documents could consume excessive server resources. Request bodies for normal API requests (create/delete/update/patch operations of regular resources) are now limited to 3MB.
@liggitt

This comment has been minimized.

Copy link
Member Author

liggitt commented Sep 27, 2019

/cc @cjcullen

@k8s-ci-robot k8s-ci-robot requested a review from cjcullen Sep 27, 2019
@liggitt liggitt force-pushed the liggitt:yaml-limits branch from 29a406a to 95c762c Sep 28, 2019
@k8s-ci-robot k8s-ci-robot added size/XXL and removed size/L labels Sep 28, 2019
@liggitt liggitt force-pushed the liggitt:yaml-limits branch 2 times, most recently from b1a0410 to 06e0e8b Sep 28, 2019
Copy link
Member

caesarxuchao left a comment

I stopped when I got confused with how the overhead consts are determined. I'll continue on Monday.

staging/src/k8s.io/apiserver/pkg/server/config.go Outdated Show resolved Hide resolved
staging/src/k8s.io/apiserver/pkg/server/config.go Outdated Show resolved Hide resolved
vendor/gopkg.in/yaml.v2/yaml.go Outdated Show resolved Hide resolved
vendor/gopkg.in/yaml.v2/yaml.go Outdated Show resolved Hide resolved
vendor/gopkg.in/yaml.v2/apic.go Outdated Show resolved Hide resolved
vendor/gopkg.in/yaml.v2/decode.go Outdated Show resolved Hide resolved
@liggitt liggitt force-pushed the liggitt:yaml-limits branch 4 times, most recently from 0dbd6c2 to 1f5b26e Sep 30, 2019
@k8s-ci-robot k8s-ci-robot added size/XL and removed size/XXL labels Sep 30, 2019
@liggitt

This comment has been minimized.

Copy link
Member Author

liggitt commented Oct 2, 2019

/priority critical-urgent

@liggitt

This comment has been minimized.

Copy link
Member Author

liggitt commented Oct 2, 2019

/hold

@liggitt liggitt force-pushed the liggitt:yaml-limits branch from c266214 to 8ef4566 Oct 3, 2019
@k8s-ci-robot k8s-ci-robot added size/XXL and removed lgtm size/XL labels Oct 3, 2019
@liggitt

This comment has been minimized.

Copy link
Member Author

liggitt commented Oct 3, 2019

/hold cancel

added integration tests against normal and custom resources exercising create and all the patch flows, just above and below the accepted size limit

@cjcullen

This comment has been minimized.

Copy link
Member

cjcullen commented Oct 3, 2019

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm label Oct 3, 2019
@liggitt

This comment has been minimized.

Copy link
Member Author

liggitt commented Oct 3, 2019

/retest
flake #83321

@k8s-ci-robot k8s-ci-robot merged commit 4afcba4 into kubernetes:master Oct 3, 2019
16 checks passed
16 checks passed
cla/linuxfoundation liggitt authorized
Details
pull-kubernetes-bazel-build Job succeeded.
Details
pull-kubernetes-bazel-test Job succeeded.
Details
pull-kubernetes-conformance-kind-ipv6 Job succeeded.
Details
pull-kubernetes-dependencies Job succeeded.
Details
pull-kubernetes-e2e-gce Job succeeded.
Details
pull-kubernetes-e2e-gce-100-performance Job succeeded.
Details
pull-kubernetes-e2e-gce-device-plugin-gpu Job succeeded.
Details
pull-kubernetes-e2e-kind Job succeeded.
Details
pull-kubernetes-integration Job succeeded.
Details
pull-kubernetes-kubemark-e2e-gce-big Job succeeded.
Details
pull-kubernetes-node-e2e Job succeeded.
Details
pull-kubernetes-node-e2e-containerd Job succeeded.
Details
pull-kubernetes-typecheck Job succeeded.
Details
pull-kubernetes-verify Job succeeded.
Details
tide In merge pool.
Details
@k8s-ci-robot k8s-ci-robot added this to the v1.17 milestone Oct 3, 2019
@liggitt liggitt deleted the liggitt:yaml-limits branch Oct 3, 2019
k8s-ci-robot added a commit that referenced this pull request Oct 4, 2019
…1-upstream-release-1.14

[1.14] Automated cherry pick of #83261: bump gopkg.in/yaml.v2 v2.2.4
k8s-ci-robot added a commit that referenced this pull request Oct 4, 2019
…1-upstream-release-1.16

[1.16] Automated cherry pick of #83261: bump gopkg.in/yaml.v2 v2.2.4
k8s-ci-robot added a commit that referenced this pull request Oct 4, 2019
…1-upstream-release-1.13-1570075716

[1.13] Automated cherry pick of #83261: bump gopkg.in/yaml.v2 v2.2.4
k8s-ci-robot added a commit that referenced this pull request Oct 4, 2019
…1-upstream-release-1.15

[1.15] Automated cherry pick of #83261: bump gopkg.in/yaml.v2 v2.2.4
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.