feat: limit max certificates and known hosts in stream parsing (#25777)

Signed-off-by: Ankit Pramanik <59945244+ankit98040@users.noreply.github.com>
This commit is contained in:
Ankit Pramanik
2025-12-22 21:00:18 +05:30
committed by GitHub
parent 91a1311bbe
commit ef75a2e7a5
2 changed files with 29 additions and 1 deletions

View File

@@ -152,7 +152,6 @@ func ParseTLSCertificatesFromStream(stream io.Reader) ([]string, error) {
certificateList := make([]string, 0)
// TODO: Implement maximum amount of data to parse
// TODO: Implement error heuristics
for scanner.Scan() {
@@ -169,6 +168,9 @@ func ParseTLSCertificatesFromStream(stream io.Reader) ([]string, error) {
if strings.HasPrefix(scanner.Text(), CertificateEndMarker) {
inCertData = false
certificateList = append(certificateList, pemData)
if len(certificateList) > CertificateMaxEntriesPerStream {
return nil, errors.New("limit exceeded")
}
pemData = ""
}
}
@@ -217,6 +219,9 @@ func ParseSSHKnownHostsFromStream(stream io.Reader) ([]string, error) {
if IsValidSSHKnownHostsEntry(lineData) {
numEntries++
knownHostsLists = append(knownHostsLists, lineData)
if len(knownHostsLists) > CertificateMaxEntriesPerStream {
return nil, errors.New("limit exceeded")
}
}
}

View File

@@ -545,3 +545,26 @@ func TestGetCertBundlePathForRepository(t *testing.T) {
assert.Empty(t, certpath)
})
}
func TestTLSCertificateLimit(t *testing.T) {
var data string
// Append one more than the max allowed
for i := 0; i < CertificateMaxEntriesPerStream+1; i++ {
data += TestTLSValidSingleCert
}
_, err := ParseTLSCertificatesFromData(data)
require.Error(t, err)
assert.Contains(t, err.Error(), "limit exceeded")
}
func TestSSHKnownHostsLimit(t *testing.T) {
var data string
entry := "github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=\n"
// Append one more than the max allowed
for i := 0; i < CertificateMaxEntriesPerStream+1; i++ {
data += entry
}
_, err := ParseSSHKnownHostsFromData(data)
require.Error(t, err)
assert.Contains(t, err.Error(), "limit exceeded")
}