Size Limits on all types

[dlorenc]

From a discussion with @asraa, we should figure out reasonable size limits for all types and enforce them in type validation.

[bobcallaway]

Can you clarify why the size limit should be type specific?

[dlorenc]

Ah, I think we should set global limits but we might also be able to restrict further by type.

[asraa]

So far I think the max request size set by the proxy (120mb) is probably way too large for most types. Whether rekor should have a smaller artifact size seems likely to be true (at least most types won't hit near this limit, for e.g. the rfc 3161 timestamps should definitely be smaller given that they only contain a hash of the message signed).

Since rekor does do some minimal parsing (for example, parsing public key bytes into x509 certs for sig verification), I'm mostly thinking a tighter request size limit to prevent really long, unnecessary parsing. It doesn't seem necessary to do this for the types that have payload that isn't being parsed in complicated way, e.g. maybe just hashed

[bobcallaway]

Since we're taking input as JSON, having a request limit based on the type would require rekor to parse the incoming document in order to get the type to determine the appropriate size limit. The kind and apiVersion elements could be at the end of the document, so its possible we'd have to read in the entire large doc into memory in order to determine the size-specific limit - thus making the limit moot?

[haydentherapper]

@dlorenc @bobcallaway Is this done? Do we have limits in place?

[haydentherapper]

Was this completed?