Skip to content

Commit fec2992

Browse files
fix: address vulnerability issues in notary implementations (#8428)
* fix: set max limit on referrers count Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat: add limit to max size of payload Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat: add max count limit on listsignatures Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat: add max signature size limit in FetchSignatureBlob Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> --------- Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> Co-authored-by: shuting <shuting@nirmata.com>
1 parent cef9a7a commit fec2992

File tree

2 files changed

+25
-0
lines changed

2 files changed

+25
-0
lines changed

Diff for: pkg/notary/notary.go

+15
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,11 @@ import (
2424
"go.uber.org/multierr"
2525
)
2626

27+
var (
28+
maxReferrersCount = 50
29+
maxPayloadSize = 10 * 1000 * 1000 // 10 MB
30+
)
31+
2732
func NewVerifier() images.ImageVerifier {
2833
return &notaryVerifier{
2934
log: logging.WithName("Notary"),
@@ -162,6 +167,11 @@ func (v *notaryVerifier) FetchAttestations(ctx context.Context, opts images.Opti
162167
return nil, err
163168
}
164169

170+
// See: https://github.com/kyverno/kyverno/security/advisories/GHSA-9g37-h7p2-2c6r
171+
if len(referrersDescs.Manifests) > maxReferrersCount {
172+
return nil, fmt.Errorf("failed to fetch referrers: to many referrers found, max limit is %d", maxReferrersCount)
173+
}
174+
165175
v.log.V(4).Info("fetched referrers", "referrers", referrersDescs)
166176

167177
var statements []map[string]interface{}
@@ -308,6 +318,11 @@ func extractStatement(ctx context.Context, repoRef name.Reference, desc v1.Descr
308318
}
309319
predicateDesc := manifest.Layers[0]
310320

321+
// See: https://github.com/kyverno/kyverno/security/advisories/GHSA-wc3x-5rfv-hh5v
322+
if predicateDesc.Size > int64(maxPayloadSize) {
323+
return nil, fmt.Errorf("payload size is too large, max size is %d: %+v", maxPayloadSize, predicateDesc)
324+
}
325+
311326
layer, err := gcrremote.Layer(ref.Context().Digest(predicateDesc.Digest.String()), remoteOpts...)
312327
if err != nil {
313328
return nil, err

Diff for: pkg/notary/repository.go

+10
Original file line numberDiff line numberDiff line change
@@ -50,6 +50,11 @@ func (c *repositoryClient) ListSignatures(ctx context.Context, desc ocispec.Desc
5050
return err
5151
}
5252

53+
// See: https://github.com/kyverno/kyverno/security/advisories/GHSA-hjpv-68f4-2262
54+
if len(referrersDescs.Manifests) > maxReferrersCount {
55+
return fmt.Errorf("failed to fetch referrers: to many referrers found, max limit is %d", maxReferrersCount)
56+
}
57+
5358
descList := []ocispec.Descriptor{}
5459
for _, d := range referrersDescs.Manifests {
5560
if d.ArtifactType == notationregistry.ArtifactTypeNotation {
@@ -81,6 +86,11 @@ func (c *repositoryClient) FetchSignatureBlob(ctx context.Context, desc ocispec.
8186
}
8287
manifestDesc := manifest.Layers[0]
8388

89+
// See: https://github.com/kyverno/kyverno/security/advisories/GHSA-4mp4-46gq-hv3r
90+
if manifestDesc.Size > int64(maxPayloadSize) {
91+
return nil, ocispec.Descriptor{}, fmt.Errorf("payload size is too large, max size is %d: %+v", maxPayloadSize, manifestDesc)
92+
}
93+
8494
signatureBlobRef, err := name.ParseReference(c.getReferenceFromDescriptor(manifestDesc))
8595
if err != nil {
8696
return nil, ocispec.Descriptor{}, err

0 commit comments

Comments
 (0)