Infrastructure/zot
0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2024-12-16 21:56:37 -05:00
Code Issues Activity

fix: additional input validation for CVE graphQL query (#2408)

Browse source 
It is possible to ask for a very large limit size which can exhaust
memory.

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
This commit is contained in:
Ramkumar Chinchani 2024-04-23 23:23:17 -07:00 committed by GitHub
parent 7b1fc0450e
commit 186855b5f8
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 24 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
errors/errors.go
View file

@ -117,6 +117,7 @@ var (
ErrEmptyDigest = errors.New("digest can't be empty string") ErrEmptyDigest = errors.New("digest can't be empty string")
ErrInvalidRepoRefFormat = errors.New("invalid image reference format, use [repo:tag] or [repo@digest]") ErrInvalidRepoRefFormat = errors.New("invalid image reference format, use [repo:tag] or [repo@digest]")
ErrLimitIsNegative = errors.New("pagination limit has negative value") ErrLimitIsNegative = errors.New("pagination limit has negative value")
ErrLimitIsExcessive = errors.New("pagination limit has excessive value")
ErrOffsetIsNegative = errors.New("pagination offset has negative value") ErrOffsetIsNegative = errors.New("pagination offset has negative value")
ErrSortCriteriaNotSupported = errors.New("the pagination sort criteria is not supported") ErrSortCriteriaNotSupported = errors.New("the pagination sort criteria is not supported")
ErrMediaTypeNotSupported = errors.New("media type is not supported") ErrMediaTypeNotSupported = errors.New("media type is not supported")

6
pkg/extensions/search/cve/pagination.go
View file

@ -62,6 +62,8 @@ type CvePageFinder struct {
pageBuffer []cvemodel.CVE pageBuffer []cvemodel.CVE
} }
const maxCvePageLimit = 4 * 1024
func NewCvePageFinder(limit, offset int, sortBy cvemodel.SortCriteria) (*CvePageFinder, error) { func NewCvePageFinder(limit, offset int, sortBy cvemodel.SortCriteria) (*CvePageFinder, error) {
if sortBy == "" { if sortBy == "" {
sortBy = SeverityDsc sortBy = SeverityDsc
@ -71,6 +73,10 @@ func NewCvePageFinder(limit, offset int, sortBy cvemodel.SortCriteria) (*CvePage
return nil, zerr.ErrLimitIsNegative return nil, zerr.ErrLimitIsNegative
} }
if limit > maxCvePageLimit {
return nil, zerr.ErrLimitIsExcessive
}
if offset < 0 { if offset < 0 {
return nil, zerr.ErrOffsetIsNegative return nil, zerr.ErrOffsetIsNegative
} }

17
pkg/extensions/search/cve/pagination_test.go
View file

@ -415,6 +415,23 @@ func TestCVEPagination(t *testing.T) {
previousSeverity = severityToInt[cve.Severity] previousSeverity = severityToInt[cve.Severity]
} }
}) })
Convey("bad limits", func() {
_, _, _, err := cveInfo.GetCVEListForImage(ctx, "repo1", "0.1.0", "", "", "", cvemodel.PageInput{
Limit: -1,
Offset: 3,
SortBy: cveinfo.AlphabeticAsc,
},
)
So(err, ShouldNotBeNil)
_, _, _, err = cveInfo.GetCVEListForImage(ctx, "repo1", "0.1.0", "", "", "", cvemodel.PageInput{
Limit: 4097,
Offset: 3,
SortBy: cveinfo.AlphabeticAsc,
},
)
So(err, ShouldNotBeNil)
})
}) })
}) })
} }