Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes for GHSA-88jx-383q-w4qc and GHSA-95pr-fxf5-86gv #3661

Merged
merged 3 commits into from
Apr 10, 2024
Merged

Fixes for GHSA-88jx-383q-w4qc and GHSA-95pr-fxf5-86gv #3661

merged 3 commits into from
Apr 10, 2024

Commits on Apr 10, 2024

  1. Merge pull request from GHSA-95pr-fxf5-86gv 

    An Image may come from an untrusted source and contain an unknown number
of signatures in the .sig manifest. A common pattern in cosign is to use
the number of signatures as the capacity for a new slice. But this means
the size of the slice is based on an unvalidated external input and
could result in cosign running out of memory.

This change adds validation for certain implementations of the
oci.Signatures Get() method to limit the number of image descriptors
returned. This way, callers can rely on the returned slice of signatures
being a reasonable size to process safely.

The limit is set to 1000, which is a generous size based on the
practical restrictions that container registries set for image manifest
size and approximations of memory allocations for signature layers.

Signed-off-by: Colleen Murphy <colleenmurphy@google.com>
Co-authored-by: Colleen Murphy <colleenmurphy@google.com>
    @haydentherapper @cmurphy
    haydentherapper and cmurphy committed Apr 10, 2024
    Configuration menu
    Copy the full SHA
    9b330f2 View commit details
    Browse the repository at this point in the history

  2. Merge pull request from GHSA-88jx-383q-w4qc 

    When downloading an attestation or SBOM from an external source, check
its size before reading it into memory. This protects the host from
potentially reading a maliciously large attachment into memory and
exhausting the system.

SBOMs can vary widely in size, and there could be legitimate SBOMs of up
to 700MB. However, reading a 700MB SBOM into memory would easily bring
down a small cloud VM. Moreover, most SBOMs are not going to be that
large. This change sets a reasonable default of 128MiB, and allows
overriding the default by setting the environment variable
`COSIGN_MAX_ATTACHMENT_SIZE`.

Signed-off-by: Colleen Murphy <colleenmurphy@google.com>
Co-authored-by: Colleen Murphy <colleenmurphy@google.com>
    @haydentherapper @cmurphy
    haydentherapper and cmurphy committed Apr 10, 2024
    Configuration menu
    Copy the full SHA
    5c02c2f View commit details
    Browse the repository at this point in the history

  3. add missing licenses 

    Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
    @haydentherapper
    haydentherapper committed Apr 10, 2024
    Configuration menu
    Copy the full SHA
    78629dd View commit details
    Browse the repository at this point in the history