Skip to content

Commit

Permalink
Limit size on justifications (#177)
Browse files Browse the repository at this point in the history
This isn't a perfect solution because there's some error during JSON marshalling, but I don't think we should take the overhead of marshalling the JSON.

Fixes GH-170
  • Loading branch information
sethvargo authored Jan 26, 2023
1 parent 6bb6a36 commit 2200787
Show file tree
Hide file tree
Showing 2 changed files with 51 additions and 3 deletions.
26 changes: 23 additions & 3 deletions pkg/justification/processor.go
Original file line number Diff line number Diff line change
Expand Up @@ -133,13 +133,16 @@ func (p *Processor) getPrimarySigner(ctx context.Context) (*signerWithID, error)
}

// TODO: Each category should have its own validator struct, with a shared interface.
func (p *Processor) runValidations(request *jvspb.CreateJustificationRequest) error {
if len(request.Justifications) < 1 {
func (p *Processor) runValidations(req *jvspb.CreateJustificationRequest) error {
if len(req.Justifications) < 1 {
return fmt.Errorf("no justifications specified")
}

var justificationsLength int
var err *multierror.Error
for _, j := range request.Justifications {
for _, j := range req.Justifications {
justificationsLength += len(j.Category) + len(j.Value)

switch j.Category {
case "explanation":
if j.Value == "" {
Expand All @@ -149,6 +152,23 @@ func (p *Processor) runValidations(request *jvspb.CreateJustificationRequest) er
err = multierror.Append(err, fmt.Errorf("unexpected justification %v unrecognized", j))
}
}

// This isn't perfect, but it's the easiest place to get "close" to limiting
// the size.
if got, max := justificationsLength, 4_000; got > max {
err = multierror.Append(err, fmt.Errorf("justification size (%d bytes) must be less than %d bytes",
got, max))
}

var audiencesLength int
for _, v := range req.Audiences {
audiencesLength += len(v)
}
if got, max := audiencesLength, 1_000; got > max {
err = multierror.Append(err, fmt.Errorf("audiences size (%d bytes) must be less than %d bytes",
got, max))
}

return err.ErrorOrNil()
}

Expand Down
28 changes: 28 additions & 0 deletions pkg/justification/processor_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ import (
"crypto/x509"
"encoding/pem"
"reflect"
"strings"
"testing"
"time"

Expand Down Expand Up @@ -127,6 +128,33 @@ func TestCreateToken(t *testing.T) {
},
wantErr: "requested ttl (10h) cannot be greater than max tll (1h)",
},
{
name: "justifications_too_long",
request: &jvspb.CreateJustificationRequest{
Justifications: []*jvspb.Justification{
{
Category: "explanation",
Value: strings.Repeat("test", 4_000),
},
},
Ttl: durationpb.New(10 * time.Hour),
},
wantErr: "must be less than 4000 bytes",
},
{
name: "audiences_too_long",
request: &jvspb.CreateJustificationRequest{
Justifications: []*jvspb.Justification{
{
Category: "explanation",
Value: "test",
},
},
Audiences: []string{strings.Repeat("test", 1_000)},
Ttl: durationpb.New(10 * time.Hour),
},
wantErr: "must be less than 1000 bytes",
},
}

for _, tc := range tests {
Expand Down

0 comments on commit 2200787

Please sign in to comment.