Descriptor size cannot be negative#1285
Merged
cyphar merged 1 commit intoopencontainers:mainfrom Sep 6, 2025
Merged
Conversation
Signed-off-by: Brandon Mitchell <git@bmitch.net>
sudo-bmitch
requested review from
cyphar,
jonjohnsonjr,
sajayantony,
stevvooe and
tianon
as code owners
tianon
approved these changes
Sep 5, 2025
Member
tianon
left a comment
tianon
left a comment
There was a problem hiding this comment.
Thanks for considering the zero size edge case I forgot about (frankly I forgot that "MUST be positive" is ambiguous about whether zero is positive 😂).
Merged
Member
|
(fwiw, I was quoting #153 (comment)) |
Contributor
Author
As long as we don't get into negative zero scenarios. 😂 |
Member
|
"MUST NOT be negative"!!! ✊ |
cyphar
approved these changes
Sep 6, 2025
Member
|
Makes sense, especially given how critical sizes are to avoiding DoS attacks. |
cyphar
added a commit
to cyphar/umoci
that referenced
this pull request
Sep 6, 2025
VerifiedReadCloser previously would allow for negative ExpectedSize to disable the size checking features added in commit ad66299 ("pkg: hardening: expand to verify descriptor length"). This was based on a somewhat overly-permissive reading of the discussion in opencontainers/image-spec#153 which was finally clarified in opencontainers/image-spec#1285. Unknown sizes are a classic DoS vector, so allowing them seems like a bad idea in general. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
cyphar
added a commit
to cyphar/umoci
that referenced
this pull request
Sep 6, 2025
This was implicitly allowed by VerifiedReadCloser, and while we have closed that hole it's probably best to provide a more helpful error message. Ref: opencontainers/image-spec#1285 Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
cyphar
added a commit
to cyphar/umoci
that referenced
this pull request
Sep 6, 2025
This was implicitly allowed by VerifiedReadCloser, and while we have closed that hole it's probably best to provide a more helpful error message. Not blocking this earlier was mostly due to a somewhat overly-permissive reading of the discussion in opencontainers/image-spec#153 which was finally clarified in opencontainers/image-spec#1285. Unknown sizes are a classic DoS vector, so allowing them (especially for descriptors where it makes little sense to have an unknown size) seems like a bad idea in general. Ref: opencontainers/image-spec#1285 Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
cyphar
added a commit
to cyphar/umoci
that referenced
this pull request
Sep 6, 2025
VerifiedReadCloser previously would allow for negative ExpectedSize to disable the size checking features added in commit ad66299 ("pkg: hardening: expand to verify descriptor length"). This was added partially because a somewhat overly-permissive reading of the discussion in opencontainers/image-spec#153 (which was finally clarified in opencontainers/image-spec#1285), but was also necessary for some users of VerifiedReadCloser that did not really know the proper blob size. We have now adjusted all of those callers, so there is no longer any reason to continue supporting this. Unknown sizes are a classic DoS vector, so allowing them seems like a bad idea in general. We might need to adjust this if/when umoci grows OCI distribution-spec support, but for now it isn't needed. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
cyphar
added a commit
to cyphar/umoci
that referenced
this pull request
Sep 6, 2025
This was implicitly allowed by VerifiedReadCloser, and while we have closed that hole it's probably best to provide a more helpful error message. Not blocking this earlier was mostly due to a somewhat overly-permissive reading of the discussion in opencontainers/image-spec#153 which was finally clarified in opencontainers/image-spec#1285. Unknown sizes are a classic DoS vector, so allowing them (especially for descriptors where it makes little sense to have an unknown size) seems like a bad idea in general. Ref: opencontainers/image-spec#1285 Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
cyphar
added a commit
to cyphar/umoci
that referenced
this pull request
Sep 6, 2025
VerifiedReadCloser previously would allow for negative ExpectedSize to disable the size checking features added in commit ad66299 ("pkg: hardening: expand to verify descriptor length"). This was added partially because a somewhat overly-permissive reading of the discussion in opencontainers/image-spec#153 (which was finally clarified in opencontainers/image-spec#1285), but was also necessary for some users of VerifiedReadCloser that did not really know the proper blob size. We have now adjusted all of those callers, so there is no longer any reason to continue supporting this. Unknown sizes are a classic DoS vector, so allowing them seems like a bad idea in general. We might need to adjust this if/when umoci grows OCI distribution-spec support, but for now it isn't needed. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
cyphar
added a commit
to cyphar/umoci
that referenced
this pull request
Sep 6, 2025
This was implicitly allowed by VerifiedReadCloser, and while we have closed that hole it's probably best to provide a more helpful error message. Not blocking this earlier was mostly due to a somewhat overly-permissive reading of the discussion in opencontainers/image-spec#153 which was finally clarified in opencontainers/image-spec#1285. Unknown sizes are a classic DoS vector, so allowing them (especially for descriptors where it makes little sense to have an unknown size) seems like a bad idea in general. Ref: opencontainers/image-spec#1285 Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
cyphar
added a commit
to cyphar/umoci
that referenced
this pull request
Sep 6, 2025
VerifiedReadCloser previously would allow for negative ExpectedSize to disable the size checking features added in commit ad66299 ("pkg: hardening: expand to verify descriptor length"). This was added partially because a somewhat overly-permissive reading of the discussion in opencontainers/image-spec#153 (which was finally clarified in opencontainers/image-spec#1285), but was also necessary for some users of VerifiedReadCloser that did not really know the proper blob size. We have now adjusted all of those callers, so there is no longer any reason to continue supporting this. Unknown sizes are a classic DoS vector, so allowing them seems like a bad idea in general. We might need to adjust this if/when umoci grows OCI distribution-spec support, but for now it isn't needed. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
cyphar
added a commit
to cyphar/umoci
that referenced
this pull request
Sep 6, 2025
This was implicitly allowed by VerifiedReadCloser, and while we have closed that hole it's probably best to provide a more helpful error message. Not blocking this earlier was mostly due to a somewhat overly-permissive reading of the discussion in opencontainers/image-spec#153 which was finally clarified in opencontainers/image-spec#1285. Unknown sizes are a classic DoS vector, so allowing them (especially for descriptors where it makes little sense to have an unknown size) seems like a bad idea in general. Ref: opencontainers/image-spec#1285 Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
cyphar
added a commit
to cyphar/umoci
that referenced
this pull request
Sep 6, 2025
VerifiedReadCloser previously would allow for negative ExpectedSize to disable the size checking features added in commit ad66299 ("pkg: hardening: expand to verify descriptor length"). This was added partially because a somewhat overly-permissive reading of the discussion in opencontainers/image-spec#153 (which was finally clarified in opencontainers/image-spec#1285), but was also necessary for some users of VerifiedReadCloser that did not really know the proper blob size. We have now adjusted all of those callers, so there is no longer any reason to continue supporting this. Unknown sizes are a classic DoS vector, so allowing them seems like a bad idea in general. We might need to adjust this if/when umoci grows OCI distribution-spec support, but for now it isn't needed. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
cyphar
added a commit
to cyphar/umoci
that referenced
this pull request
Sep 6, 2025
This was implicitly allowed by VerifiedReadCloser, and while we have closed that hole it's probably best to provide a more helpful error message. Not blocking this earlier was mostly due to a somewhat overly-permissive reading of the discussion in opencontainers/image-spec#153 which was finally clarified in opencontainers/image-spec#1285. Unknown sizes are a classic DoS vector, so allowing them (especially for descriptors where it makes little sense to have an unknown size) seems like a bad idea in general. Ref: opencontainers/image-spec#1285 Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
cyphar
added a commit
to cyphar/umoci
that referenced
this pull request
Sep 6, 2025
VerifiedReadCloser previously would allow for negative ExpectedSize to disable the size checking features added in commit ad66299 ("pkg: hardening: expand to verify descriptor length"). This was added partially because a somewhat overly-permissive reading of the discussion in opencontainers/image-spec#153 (which was finally clarified in opencontainers/image-spec#1285), but was also necessary for some users of VerifiedReadCloser that did not really know the proper blob size. We have now adjusted all of those callers, so there is no longer any reason to continue supporting this. Unknown sizes are a classic DoS vector, so allowing them seems like a bad idea in general. We might need to adjust this if/when umoci grows OCI distribution-spec support, but for now it isn't needed. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
cyphar
added a commit
to cyphar/umoci
that referenced
this pull request
Sep 6, 2025
This was implicitly allowed by VerifiedReadCloser, and while we have closed that hole it's probably best to provide a more helpful error message. Not blocking this earlier was mostly due to a somewhat overly-permissive reading of the discussion in opencontainers/image-spec#153 which was finally clarified in opencontainers/image-spec#1285. Unknown sizes are a classic DoS vector, so allowing them (especially for descriptors where it makes little sense to have an unknown size) seems like a bad idea in general. Ref: opencontainers/image-spec#1285 Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
cyphar
added a commit
to cyphar/umoci
that referenced
this pull request
Sep 6, 2025
VerifiedReadCloser previously would allow for negative ExpectedSize to disable the size checking features added in commit ad66299 ("pkg: hardening: expand to verify descriptor length"). This was added partially because a somewhat overly-permissive reading of the discussion in opencontainers/image-spec#153 (which was finally clarified in opencontainers/image-spec#1285), but was also necessary for some users of VerifiedReadCloser that did not really know the proper blob size. We have now adjusted all of those callers, so there is no longer any reason to continue supporting this. Unknown sizes are a classic DoS vector, so allowing them seems like a bad idea in general. We might need to adjust this if/when umoci grows OCI distribution-spec support, but for now it isn't needed. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is in response to #153 (comment). I didn't say "MUST be positive" because we've seen some cases where a zero length blob has been permitted.
I'm not a JSON schema expert, but it passes the tests. Other changes to
descriptor_test.gowere for consistency.