mirror of
https://github.com/project-zot/zot.git
synced 2026-06-19 22:27:58 +08:00
fix(security): limit manifest PUT body to 4 MiB (INPUT-1) (#3977)
Wrap request.Body with http.MaxBytesReader before io.ReadAll in UpdateManifest. Bodies exceeding MaxManifestBodySize (4 MiB) now return HTTP 413 with a MANIFEST_INVALID error body instead of buffering unlimited data into memory. Add the MaxManifestBodySize constant and a unit test that sends an oversized body and asserts the 413 status. Agent-Logs-Url: https://github.com/project-zot/zot/sessions/5eca86eb-9749-4cf8-9fb8-7b9ace2ba87f Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com>
This commit is contained in:
Ramkumar Chinchani
committed by
GitHub
GitHub
parent
3bc5f97b51
commit
35c29b95e4
@@ -19,7 +19,10 @@ const (
|
||||
// for path and digest:
|
||||
//
|
||||
// (8192 - 2048) / (len("tag=") + 128 + 1) == 46
|
||||
MaxManifestDigestQueryTags = (8192 - 2048) / (len("tag=") + 128 + 1)
|
||||
MaxManifestDigestQueryTags = (8192 - 2048) / (len("tag=") + 128 + 1)
|
||||
// MaxManifestBodySize is the maximum number of bytes accepted for a manifest PUT request body.
|
||||
// OCI manifest JSON is always small metadata; 4 MiB is well above any realistic manifest.
|
||||
MaxManifestBodySize = 4 * 1024 * 1024
|
||||
BlobUploadUUID = "Blob-Upload-UUID"
|
||||
DefaultMediaType = "application/json"
|
||||
BinaryMediaType = "application/octet-stream"
|
||||
|
||||
Reference in New Issue
Block a user