From 186855b5f8a3c6324845ebd17067f77dc87a896f Mon Sep 17 00:00:00 2001 From: Ramkumar Chinchani <45800463+rchincha@users.noreply.github.com> Date: Tue, 23 Apr 2024 23:23:17 -0700 Subject: [PATCH] fix: additional input validation for CVE graphQL query (#2408) It is possible to ask for a very large limit size which can exhaust memory. Signed-off-by: Ramkumar Chinchani --- errors/errors.go | 1 + pkg/extensions/search/cve/pagination.go | 6 ++++++ pkg/extensions/search/cve/pagination_test.go | 17 +++++++++++++++++ 3 files changed, 24 insertions(+) diff --git a/errors/errors.go b/errors/errors.go index 09207d9e0..e5e63ea16 100644 --- a/errors/errors.go +++ b/errors/errors.go @@ -117,6 +117,7 @@ var ( ErrEmptyDigest = errors.New("digest can't be empty string") ErrInvalidRepoRefFormat = errors.New("invalid image reference format, use [repo:tag] or [repo@digest]") ErrLimitIsNegative = errors.New("pagination limit has negative value") + ErrLimitIsExcessive = errors.New("pagination limit has excessive value") ErrOffsetIsNegative = errors.New("pagination offset has negative value") ErrSortCriteriaNotSupported = errors.New("the pagination sort criteria is not supported") ErrMediaTypeNotSupported = errors.New("media type is not supported") diff --git a/pkg/extensions/search/cve/pagination.go b/pkg/extensions/search/cve/pagination.go index b5a5ab607..14d5c2f76 100644 --- a/pkg/extensions/search/cve/pagination.go +++ b/pkg/extensions/search/cve/pagination.go @@ -62,6 +62,8 @@ type CvePageFinder struct { pageBuffer []cvemodel.CVE } +const maxCvePageLimit = 4 * 1024 + func NewCvePageFinder(limit, offset int, sortBy cvemodel.SortCriteria) (*CvePageFinder, error) { if sortBy == "" { sortBy = SeverityDsc @@ -71,6 +73,10 @@ func NewCvePageFinder(limit, offset int, sortBy cvemodel.SortCriteria) (*CvePage return nil, zerr.ErrLimitIsNegative } + if limit > maxCvePageLimit { + return nil, zerr.ErrLimitIsExcessive + } + if offset < 0 { return nil, zerr.ErrOffsetIsNegative } diff --git a/pkg/extensions/search/cve/pagination_test.go b/pkg/extensions/search/cve/pagination_test.go index 49cc28fc8..53a43e295 100644 --- a/pkg/extensions/search/cve/pagination_test.go +++ b/pkg/extensions/search/cve/pagination_test.go @@ -415,6 +415,23 @@ func TestCVEPagination(t *testing.T) { previousSeverity = severityToInt[cve.Severity] } }) + Convey("bad limits", func() { + _, _, _, err := cveInfo.GetCVEListForImage(ctx, "repo1", "0.1.0", "", "", "", cvemodel.PageInput{ + Limit: -1, + Offset: 3, + SortBy: cveinfo.AlphabeticAsc, + }, + ) + So(err, ShouldNotBeNil) + + _, _, _, err = cveInfo.GetCVEListForImage(ctx, "repo1", "0.1.0", "", "", "", cvemodel.PageInput{ + Limit: 4097, + Offset: 3, + SortBy: cveinfo.AlphabeticAsc, + }, + ) + So(err, ShouldNotBeNil) + }) }) }) }