Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Refactor DoS limits to separate func #364

Merged
merged 2 commits into from
Dec 20, 2024
Merged

Refactor DoS limits to separate func #364

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a5ac3b6
Refactor DoS limits to separate func
codysoyland Dec 19, 2024
7181972
Use condensed syntax
codysoyland Dec 20, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 21 additions & 17 deletions pkg/verify/signature.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ import (
"hash"
"io"

in_toto "github.com/in-toto/attestation/go/v1"
"github.com/secure-systems-lab/go-securesystemslib/dsse"
"github.com/sigstore/sigstore-go/pkg/root"
"github.com/sigstore/sigstore/pkg/signature"
Expand Down Expand Up @@ -142,6 +143,10 @@ func verifyEnvelopeWithArtifact(verifier signature.Verifier, envelope EnvelopeCo
if err != nil {
return fmt.Errorf("could not verify artifact: unable to extract statement from envelope: %w", err)
}
if err = limitSubjects(statement); err != nil {
return err
}

var artifactDigestAlgorithm string
var artifactDigest []byte

Expand Down Expand Up @@ -182,17 +187,8 @@ func verifyEnvelopeWithArtifact(verifier signature.Verifier, envelope EnvelopeCo
}
artifactDigest = hasher.Sum(nil)

// limit the number of subjects to prevent DoS
if len(statement.Subject) > maxAllowedSubjects {
return fmt.Errorf("too many subjects: %d > %d", len(statement.Subject), maxAllowedSubjects)
}

// Look for artifact digest in statement
for _, subject := range statement.Subject {
// limit the number of digests to prevent DoS
if len(subject.Digest) > maxAllowedSubjectDigests {
return fmt.Errorf("too many digests: %d > %d", len(subject.Digest), maxAllowedSubjectDigests)
}
for alg, digest := range subject.Digest {
hexdigest, err := hex.DecodeString(digest)
if err != nil {
Expand All @@ -215,17 +211,11 @@ func verifyEnvelopeWithArtifactDigest(verifier signature.Verifier, envelope Enve
if err != nil {
return fmt.Errorf("could not verify artifact: unable to extract statement from envelope: %w", err)
}

// limit the number of subjects to prevent DoS
if len(statement.Subject) > maxAllowedSubjects {
return fmt.Errorf("too many subjects: %d > %d", len(statement.Subject), maxAllowedSubjects)
if err = limitSubjects(statement); err != nil {
return err
}

for _, subject := range statement.Subject {
// limit the number of digests to prevent DoS
if len(subject.Digest) > maxAllowedSubjectDigests {
return fmt.Errorf("too many digests: %d > %d", len(subject.Digest), maxAllowedSubjectDigests)
}
for alg, digest := range subject.Digest {
if alg == artifactDigestAlgorithm {
hexdigest, err := hex.DecodeString(digest)
Expand Down Expand Up @@ -265,3 +255,17 @@ func verifyMessageSignatureWithArtifactDigest(verifier signature.Verifier, msg M

return nil
}

// limitSubjects limits the number of subjects and digests in a statement to prevent DoS.
func limitSubjects(statement *in_toto.Statement) error {
if len(statement.Subject) > maxAllowedSubjects {
return fmt.Errorf("too many subjects: %d > %d", len(statement.Subject), maxAllowedSubjects)
}
for _, subject := range statement.Subject {
// limit the number of digests too
if len(subject.Digest) > maxAllowedSubjectDigests {
return fmt.Errorf("too many digests: %d > %d", len(subject.Digest), maxAllowedSubjectDigests)
}
}
return nil
}
Loading