karmada icon indicating copy to clipboard operation
karmada copied to clipboard

Published 20 hours ago verified publisher icon karmada-io

operator/pkg/util: Curious about Adding a Data Limit Check in `ioCopyN`?

Open mohamedawnallah opened this issue 4 months ago • 2 comments

Description

Currently, the ioCopyN function does not enforce a limit on the amount of data it processes from the tar.Reader. This can lead to potential Denial of Service (DoS) vulnerabilities through decompression bombs, where maliciously crafted tar files could cause excessive resource consumption.

https://github.com/karmada-io/karmada/blob/6e41d9b9309a64d3014a8bce568f6b6d7af4f66d/operator/pkg/util/util.go#L155-L166

Proposed Changes

Implement a data limit check in the ioCopyN function to prevent excessive data processing. This can be achieved by adding the following code to track the total number of bytes written and enforce a maximum size limit:

totalWritten += n
if totalWritten > maxSize {
    return fmt.Errorf("data limit exceeded: total written %d bytes, maximum allowed %d bytes", totalWritten, maxSize)
}

What do you think ? 🤔

mohamedawnallah avatar Oct 11 '24 02:10 mohamedawnallah