Skip to content

Commit 629f5f8

Browse files
haydentherapperhaydentherapper
authored
* Merge pull request from GHSA-95pr-fxf5-86gv An Image may come from an untrusted source and contain an unknown number of signatures in the .sig manifest. A common pattern in cosign is to use the number of signatures as the capacity for a new slice. But this means the size of the slice is based on an unvalidated external input and could result in cosign running out of memory. This change adds validation for certain implementations of the oci.Signatures Get() method to limit the number of image descriptors returned. This way, callers can rely on the returned slice of signatures being a reasonable size to process safely. The limit is set to 1000, which is a generous size based on the practical restrictions that container registries set for image manifest size and approximations of memory allocations for signature layers. Signed-off-by: Colleen Murphy <[email protected]> * Merge pull request from GHSA-88jx-383q-w4qc When downloading an attestation or SBOM from an external source, check its size before reading it into memory. This protects the host from potentially reading a maliciously large attachment into memory and exhausting the system. SBOMs can vary widely in size, and there could be legitimate SBOMs of up to 700MB. However, reading a 700MB SBOM into memory would easily bring down a small cloud VM. Moreover, most SBOMs are not going to be that large. This change sets a reasonable default of 128MiB, and allows overriding the default by setting the environment variable `COSIGN_MAX_ATTACHMENT_SIZE`. Signed-off-by: Colleen Murphy <[email protected]> --------- Signed-off-by: Colleen Murphy <[email protected]>
1 parent 302aee6 commit 629f5f8

22 files changed

+657
-7
lines changed

cmd/cosign/cli/verify/verify_blob_attestation.go

+9
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,7 @@ import (
3434
"github.com/sigstore/cosign/v2/cmd/cosign/cli/options"
3535
"github.com/sigstore/cosign/v2/cmd/cosign/cli/rekor"
3636
internal "github.com/sigstore/cosign/v2/internal/pkg/cosign"
37+
payloadsize "github.com/sigstore/cosign/v2/internal/pkg/cosign/payload/size"
3738
"github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa"
3839
"github.com/sigstore/cosign/v2/pkg/blob"
3940
"github.com/sigstore/cosign/v2/pkg/cosign"
@@ -117,6 +118,14 @@ func (c *VerifyBlobAttestationCommand) Exec(ctx context.Context, artifactPath st
117118
return err
118119
}
119120
defer f.Close()
121+
fileInfo, err := f.Stat()
122+
if err != nil {
123+
return err
124+
}
125+
err = payloadsize.CheckSize(uint64(fileInfo.Size()))
126+
if err != nil {
127+
return err
128+
}
120129

121130
payload = internal.NewHashReader(f, sha256.New())
122131
if _, err := io.ReadAll(&payload); err != nil {

cmd/cosign/cli/verify/verify_blob_attestation_test.go

+12
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,7 @@ gZPFIp557+TOoDxf14FODWc+sIPETk0OgCplAk60doVXbCv33IU4rXZHrg==
3232
const (
3333
blobContents = "some-payload"
3434
anotherBlobContents = "another-blob"
35+
hugeBlobContents = "hugepayloadhugepayloadhugepayloadhugepayloadhugepayloadhugepayloadhugepayloadhugepayloadhugepayloadhugepayloadhugepayloadhugepayloadhugepayload"
3536
blobSLSAProvenanceSignature = "eyJwYXlsb2FkVHlwZSI6ImFwcGxpY2F0aW9uL3ZuZC5pbi10b3RvK2pzb24iLCJwYXlsb2FkIjoiZXlKZmRIbHdaU0k2SW1oMGRIQnpPaTh2YVc0dGRHOTBieTVwYnk5VGRHRjBaVzFsYm5RdmRqQXVNU0lzSW5CeVpXUnBZMkYwWlZSNWNHVWlPaUpvZEhSd2N6b3ZMM05zYzJFdVpHVjJMM0J5YjNabGJtRnVZMlV2ZGpBdU1pSXNJbk4xWW1wbFkzUWlPbHQ3SW01aGJXVWlPaUppYkc5aUlpd2laR2xuWlhOMElqcDdJbk5vWVRJMU5pSTZJalkxT0RjNE1XTmtOR1ZrT1dKallUWXdaR0ZqWkRBNVpqZGlZamt4TkdKaU5URTFNREpsT0dJMVpEWXhPV1kxTjJZek9XRXhaRFkxTWpVNU5tTmpNalFpZlgxZExDSndjbVZrYVdOaGRHVWlPbnNpWW5WcGJHUmxjaUk2ZXlKcFpDSTZJaklpZlN3aVluVnBiR1JVZVhCbElqb2llQ0lzSW1sdWRtOWpZWFJwYjI0aU9uc2lZMjl1Wm1sblUyOTFjbU5sSWpwN2ZYMTlmUT09Iiwic2lnbmF0dXJlcyI6W3sia2V5aWQiOiIiLCJzaWciOiJNRVVDSUE4S2pacWtydDkwZnpCb2pTd3d0ajNCcWI0MUU2cnV4UWs5N1RMbnB6ZFlBaUVBek9Bak9Uenl2VEhxYnBGREFuNnpocmc2RVp2N2t4SzVmYVJvVkdZTWgyYz0ifV19"
3637
dssePredicateEmptySubject = "eyJwYXlsb2FkVHlwZSI6ImFwcGxpY2F0aW9uL3ZuZC5pbi10b3RvK2pzb24iLCJwYXlsb2FkIjoiZXlKZmRIbHdaU0k2SW1oMGRIQnpPaTh2YVc0dGRHOTBieTVwYnk5VGRHRjBaVzFsYm5RdmRqQXVNU0lzSW5CeVpXUnBZMkYwWlZSNWNHVWlPaUpvZEhSd2N6b3ZMM05zYzJFdVpHVjJMM0J5YjNabGJtRnVZMlV2ZGpBdU1pSXNJbk4xWW1wbFkzUWlPbHRkTENKd2NtVmthV05oZEdVaU9uc2lZblZwYkdSbGNpSTZleUpwWkNJNklqSWlmU3dpWW5WcGJHUlVlWEJsSWpvaWVDSXNJbWx1ZG05allYUnBiMjRpT25zaVkyOXVabWxuVTI5MWNtTmxJanA3ZlgxOWZRPT0iLCJzaWduYXR1cmVzIjpbeyJrZXlpZCI6IiIsInNpZyI6Ik1FWUNJUUNrTEV2NkhZZ0svZDdUK0N3NTdXbkZGaHFUTC9WalAyVDA5Q2t1dk1nbDRnSWhBT1hBM0lhWWg1M1FscVk1eVU4cWZxRXJma2tGajlEakZnaWovUTQ2NnJSViJ9XX0="
3738
dssePredicateMissingSha256 = "eyJwYXlsb2FkVHlwZSI6ImFwcGxpY2F0aW9uL3ZuZC5pbi10b3RvK2pzb24iLCJwYXlsb2FkIjoiZXlKZmRIbHdaU0k2SW1oMGRIQnpPaTh2YVc0dGRHOTBieTVwYnk5VGRHRjBaVzFsYm5RdmRqQXVNU0lzSW5CeVpXUnBZMkYwWlZSNWNHVWlPaUpvZEhSd2N6b3ZMM05zYzJFdVpHVjJMM0J5YjNabGJtRnVZMlV2ZGpBdU1pSXNJbk4xWW1wbFkzUWlPbHQ3SW01aGJXVWlPaUppYkc5aUlpd2laR2xuWlhOMElqcDdmWDFkTENKd2NtVmthV05oZEdVaU9uc2lZblZwYkdSbGNpSTZleUpwWkNJNklqSWlmU3dpWW5WcGJHUlVlWEJsSWpvaWVDSXNJbWx1ZG05allYUnBiMjRpT25zaVkyOXVabWxuVTI5MWNtTmxJanA3ZlgxOWZRPT0iLCJzaWduYXR1cmVzIjpbeyJrZXlpZCI6IiIsInNpZyI6Ik1FVUNJQysvM2M4RFo1TGFZTEx6SFZGejE3ZmxHUENlZXVNZ2tIKy8wa2s1cFFLUEFpRUFqTStyYnBBRlJybDdpV0I2Vm9BYVZPZ3U3NjRRM0JKdHI1bHk4VEFHczNrPSJ9XX0="
@@ -46,13 +47,15 @@ func TestVerifyBlobAttestation(t *testing.T) {
4647

4748
blobPath := writeBlobFile(t, td, blobContents, "blob")
4849
anotherBlobPath := writeBlobFile(t, td, anotherBlobContents, "other-blob")
50+
hugeBlobPath := writeBlobFile(t, td, hugeBlobContents, "huge-blob")
4951
keyRef := writeBlobFile(t, td, pubkey, "cosign.pub")
5052

5153
tests := []struct {
5254
description string
5355
blobPath string
5456
signature string
5557
predicateType string
58+
env map[string]string
5659
shouldErr bool
5760
}{
5861
{
@@ -98,11 +101,20 @@ func TestVerifyBlobAttestation(t *testing.T) {
98101
signature: dssePredicateMultipleSubjectsInvalid,
99102
blobPath: blobPath,
100103
shouldErr: true,
104+
}, {
105+
description: "override file size limit",
106+
signature: blobSLSAProvenanceSignature,
107+
blobPath: hugeBlobPath,
108+
env: map[string]string{"COSIGN_MAX_ATTACHMENT_SIZE": "128"},
109+
shouldErr: true,
101110
},
102111
}
103112

104113
for _, test := range tests {
105114
t.Run(test.description, func(t *testing.T) {
115+
for k, v := range test.env {
116+
t.Setenv(k, v)
117+
}
106118
decodedSig, err := base64.StdEncoding.DecodeString(test.signature)
107119
if err != nil {
108120
t.Fatal(err)

go.mod

+1
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@ require (
1111
github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46
1212
github.com/depcheck-test/depcheck-test v0.0.0-20220607135614-199033aaa936
1313
github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7
14+
github.com/dustin/go-humanize v1.0.1
1415
github.com/go-openapi/runtime v0.28.0
1516
github.com/go-openapi/strfmt v0.23.0
1617
github.com/go-openapi/swag v0.23.0

internal/pkg/cosign/payload/size/errors.go

+31
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
// Copyright 2024 The Sigstore Authors.
2+
//
3+
// Licensed under the Apache License, Version 2.0 (the "License");
4+
// you may not use this file except in compliance with the License.
5+
// You may obtain a copy of the License at
6+
//
7+
// http://www.apache.org/licenses/LICENSE-2.0
8+
//
9+
// Unless required by applicable law or agreed to in writing, software
10+
// distributed under the License is distributed on an "AS IS" BASIS,
11+
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12+
// See the License for the specific language governing permissions and
13+
// limitations under the License.
14+
15+
package payload
16+
17+
import "fmt"
18+
19+
// MaxLayerSizeExceeded is an error indicating that the layer is too big to read into memory and cosign should abort processing it.
20+
type MaxLayerSizeExceeded struct {
21+
value uint64
22+
maximum uint64
23+
}
24+
25+
func NewMaxLayerSizeExceeded(value, maximum uint64) *MaxLayerSizeExceeded {
26+
return &MaxLayerSizeExceeded{value, maximum}
27+
}
28+
29+
func (e *MaxLayerSizeExceeded) Error() string {
30+
return fmt.Sprintf("size of layer (%d) exceeded the limit (%d)", e.value, e.maximum)
31+
}

internal/pkg/cosign/payload/size/size.go

+38
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,38 @@
1+
// Copyright 2024 The Sigstore Authors.
2+
//
3+
// Licensed under the Apache License, Version 2.0 (the "License");
4+
// you may not use this file except in compliance with the License.
5+
// You may obtain a copy of the License at
6+
//
7+
// http://www.apache.org/licenses/LICENSE-2.0
8+
//
9+
// Unless required by applicable law or agreed to in writing, software
10+
// distributed under the License is distributed on an "AS IS" BASIS,
11+
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12+
// See the License for the specific language governing permissions and
13+
// limitations under the License.
14+
15+
package payload
16+
17+
import (
18+
"github.com/dustin/go-humanize"
19+
"github.com/sigstore/cosign/v2/pkg/cosign/env"
20+
)
21+
22+
const defaultMaxSize = uint64(134217728) // 128MiB
23+
24+
func CheckSize(size uint64) error {
25+
maxSize := defaultMaxSize
26+
maxSizeOverride, exists := env.LookupEnv(env.VariableMaxAttachmentSize)
27+
if exists {
28+
var err error
29+
maxSize, err = humanize.ParseBytes(maxSizeOverride)
30+
if err != nil {
31+
maxSize = defaultMaxSize
32+
}
33+
}
34+
if size > maxSize {
35+
return NewMaxLayerSizeExceeded(size, maxSize)
36+
}
37+
return nil
38+
}

internal/pkg/cosign/payload/size/size_test.go

+110
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,110 @@
1+
// Copyright 2024 The Sigstore Authors.
2+
//
3+
// Licensed under the Apache License, Version 2.0 (the "License");
4+
// you may not use this file except in compliance with the License.
5+
// You may obtain a copy of the License at
6+
//
7+
// http://www.apache.org/licenses/LICENSE-2.0
8+
//
9+
// Unless required by applicable law or agreed to in writing, software
10+
// distributed under the License is distributed on an "AS IS" BASIS,
11+
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12+
// See the License for the specific language governing permissions and
13+
// limitations under the License.
14+
15+
package payload
16+
17+
import (
18+
"testing"
19+
)
20+
21+
func TestCheckSize(t *testing.T) {
22+
tests := []struct {
23+
name string
24+
input uint64
25+
setting string
26+
wantErr bool
27+
}{
28+
{
29+
name: "size is within default limit",
30+
input: 1000,
31+
wantErr: false,
32+
},
33+
{
34+
name: "size exceeds default limit",
35+
input: 200000000,
36+
wantErr: true,
37+
},
38+
{
39+
name: "size is within overridden limit (bytes)",
40+
input: 1000,
41+
setting: "1024",
42+
wantErr: false,
43+
},
44+
{
45+
name: "size is exceeds overridden limit (bytes)",
46+
input: 2000,
47+
setting: "1024",
48+
wantErr: true,
49+
},
50+
{
51+
name: "size is within overridden limit (megabytes, short form)",
52+
input: 1999999,
53+
setting: "2M",
54+
wantErr: false,
55+
},
56+
{
57+
name: "size exceeds overridden limit (megabytes, short form)",
58+
input: 2000001,
59+
setting: "2M",
60+
wantErr: true,
61+
},
62+
{
63+
name: "size is within overridden limit (megabytes, long form)",
64+
input: 1999999,
65+
setting: "2MB",
66+
wantErr: false,
67+
},
68+
{
69+
name: "size exceeds overridden limit (megabytes, long form)",
70+
input: 2000001,
71+
setting: "2MB",
72+
wantErr: true,
73+
},
74+
{
75+
name: "size is within overridden limit (mebibytes)",
76+
input: 2097151,
77+
setting: "2MiB",
78+
wantErr: false,
79+
},
80+
{
81+
name: "size exceeds overridden limit (mebibytes)",
82+
input: 2097153,
83+
setting: "2MiB",
84+
wantErr: true,
85+
},
86+
{
87+
name: "size is negative results in default",
88+
input: 5121,
89+
setting: "-5KiB",
90+
wantErr: false,
91+
},
92+
{
93+
name: "invalid setting results in default",
94+
input: 5121,
95+
setting: "five kilobytes",
96+
wantErr: false,
97+
},
98+
}
99+
for _, test := range tests {
100+
t.Run(test.name, func(t *testing.T) {
101+
if test.setting != "" {
102+
t.Setenv("COSIGN_MAX_ATTACHMENT_SIZE", test.setting)
103+
}
104+
got := CheckSize(test.input)
105+
if (got != nil) != (test.wantErr) {
106+
t.Errorf("CheckSize() = %v, expected %v", got, test.wantErr)
107+
}
108+
})
109+
}
110+
}

pkg/cosign/env/env.go

+6
Original file line numberDiff line numberDiff line change
@@ -51,6 +51,7 @@ const (
5151
VariablePKCS11ModulePath Variable = "COSIGN_PKCS11_MODULE_PATH"
5252
VariablePKCS11IgnoreCertificate Variable = "COSIGN_PKCS11_IGNORE_CERTIFICATE"
5353
VariableRepository Variable = "COSIGN_REPOSITORY"
54+
VariableMaxAttachmentSize Variable = "COSIGN_MAX_ATTACHMENT_SIZE"
5455

5556
// Sigstore environment variables
5657
VariableSigstoreCTLogPublicKeyFile Variable = "SIGSTORE_CT_LOG_PUBLIC_KEY_FILE"
@@ -113,6 +114,11 @@ var (
113114
Expects: "string with a repository",
114115
Sensitive: false,
115116
},
117+
VariableMaxAttachmentSize: {
118+
Description: "maximum attachment size to download (default 128MiB)",
119+
Expects: "human-readable unit of memory, e.g. 5120, 20K, 3M, 45MiB, 1GB",
120+
Sensitive: false,
121+
},
116122

117123
VariableSigstoreCTLogPublicKeyFile: {
118124
Description: "overrides what is used to validate the SCT coming back from Fulcio",

pkg/oci/errors.go

+31
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
// Copyright 2024 The Sigstore Authors.
2+
//
3+
// Licensed under the Apache License, Version 2.0 (the "License");
4+
// you may not use this file except in compliance with the License.
5+
// You may obtain a copy of the License at
6+
//
7+
// http://www.apache.org/licenses/LICENSE-2.0
8+
//
9+
// Unless required by applicable law or agreed to in writing, software
10+
// distributed under the License is distributed on an "AS IS" BASIS,
11+
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12+
// See the License for the specific language governing permissions and
13+
// limitations under the License.
14+
15+
package oci
16+
17+
import "fmt"
18+
19+
// MaxLayersExceeded is an error indicating that the artifact has too many layers and cosign should abort processing it.
20+
type MaxLayersExceeded struct {
21+
value int64
22+
maximum int64
23+
}
24+
25+
func NewMaxLayersExceeded(value, maximum int64) *MaxLayersExceeded {
26+
return &MaxLayersExceeded{value, maximum}
27+
}
28+
29+
func (e *MaxLayersExceeded) Error() string {
30+
return fmt.Sprintf("number of layers (%d) exceeded the limit (%d)", e.value, e.maximum)
31+
}

pkg/oci/internal/signature/layer.go

+9
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,7 @@ import (
2424
"strings"
2525

2626
v1 "github.com/google/go-containerregistry/pkg/v1"
27+
payloadsize "github.com/sigstore/cosign/v2/internal/pkg/cosign/payload/size"
2728
"github.com/sigstore/cosign/v2/pkg/cosign/bundle"
2829
"github.com/sigstore/cosign/v2/pkg/oci"
2930
"github.com/sigstore/sigstore/pkg/cryptoutils"
@@ -58,6 +59,14 @@ func (s *sigLayer) Annotations() (map[string]string, error) {
5859

5960
// Payload implements oci.Signature
6061
func (s *sigLayer) Payload() ([]byte, error) {
62+
size, err := s.Layer.Size()
63+
if err != nil {
64+
return nil, err
65+
}
66+
err = payloadsize.CheckSize(uint64(size))
67+
if err != nil {
68+
return nil, err
69+
}
6170
// Compressed is a misnomer here, we just want the raw bytes from the registry.
6271
r, err := s.Layer.Compressed()
6372
if err != nil {

0 commit comments

Comments
 (0)