bound io.ReadAll on untrusted HTTP response bodies

internal/limitio/limitio.go

@@ -0,0 +1,24 @@
+package limitio
+
+import (
+	"errors"
+	"fmt"
+	"io"
+)
+
+var ErrLimitExceeded = errors.New("read limit exceeded")
+
+func ReadAll(r io.Reader, max int64) ([]byte, error) {
+	if max < 0 {
+		return nil, fmt.Errorf("invalid max: %d", max)
+	}
+
+	b, err := io.ReadAll(io.LimitReader(r, max+1))
+	if err != nil {
+		return nil, err
+	}
+	if int64(len(b)) > max {
+		return nil, fmt.Errorf("%w: read=%d max=%d", ErrLimitExceeded, len(b), max)
+	}
+	return b, nil
+}

internal/limitio/limitio_test.go

@@ -0,0 +1,69 @@
+package limitio
+
+import (
+	"errors"
+	"strings"
+	"testing"
+)
+
+func TestReadAll(t *testing.T) {
+	tests := []struct {
+		name    string
+		input   string
+		max     int64
+		wantErr bool
+		wantLen int
+	}{
+		{
+			name:    "within limit",
+			input:   "hello",
+			max:     10,
+			wantLen: 5,
+		},
+		{
+			name:    "exactly at limit",
+			input:   "hello",
+			max:     5,
+			wantLen: 5,
+		},
+		{
+			name:    "exceeds limit",
+			input:   "hello world",
+			max:     5,
+			wantErr: true,
+		},
+		{
+			name:    "empty input",
+			input:   "",
+			max:     5,
+			wantLen: 0,
+		},
+		{
+			name:    "negative max",
+			input:   "hello",
+			max:     -1,
+			wantErr: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := ReadAll(strings.NewReader(tt.input), tt.max)
+			if tt.wantErr {
+				if err == nil {
+					t.Fatal("expected error, got nil")
+				}
+				if tt.max >= 0 && !errors.Is(err, ErrLimitExceeded) {
+					t.Fatalf("expected ErrLimitExceeded, got: %v", err)
+				}
+				return
+			}
+			if err != nil {
+				t.Fatalf("unexpected error: %v", err)
+			}
+			if len(got) != tt.wantLen {
+				t.Fatalf("got %d bytes, want %d", len(got), tt.wantLen)
+			}
+		})
+	}
+}

pkg/v1/remote/image.go

@@ -22,6 +22,7 @@ import (
 	"net/url"
 	"sync"
 
+	"github.com/google/go-containerregistry/internal/limitio"
 	"github.com/google/go-containerregistry/internal/redact"
 	"github.com/google/go-containerregistry/internal/verify"
 	"github.com/google/go-containerregistry/pkg/name"
@@ -31,6 +32,8 @@ import (
 	"github.com/google/go-containerregistry/pkg/v1/types"
 )
 
+const maxConfigBytes = 8 * 1024 * 1024
+
 var acceptableImageMediaTypes = []types.MediaType{
 	types.DockerManifestSchema2,
 	types.OCIManifestSchema1,
@@ -126,7 +129,7 @@ func (r *remoteImage) RawConfigFile() ([]byte, error) {
 	}
 	defer body.Close()
 
-	r.config, err = io.ReadAll(body)
+	r.config, err = limitio.ReadAll(body, maxConfigBytes)
 	if err != nil {
 		return nil, err
 	}

pkg/v1/remote/referrers.go

@@ -18,10 +18,10 @@ import (
 	"bytes"
 	"context"
 	"errors"
-	"io"
 	"net/http"
 	"strings"
 
+	"github.com/google/go-containerregistry/internal/limitio"
 	"github.com/google/go-containerregistry/pkg/name"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/go-containerregistry/pkg/v1/empty"
@@ -30,6 +30,8 @@ import (
 	"github.com/google/go-containerregistry/pkg/v1/types"
 )
 
+const maxReferrersBytes = 4 * 1024 * 1024
+
 // Referrers returns a list of descriptors that refer to the given manifest digest.
 //
 // The subject manifest doesn't have to exist in the registry for there to be descriptors that refer to it.
@@ -67,7 +69,7 @@ func (f *fetcher) fetchReferrers(ctx context.Context, filter map[string]string,
 
 	var b []byte
 	if resp.StatusCode == http.StatusOK && resp.Header.Get("Content-Type") == string(types.OCIImageIndex) {
-		b, err = io.ReadAll(resp.Body)
+		b, err = limitio.ReadAll(resp.Body, maxReferrersBytes)
 		if err != nil {
 			return nil, err
 		}

pkg/v1/remote/transport/bearer.go

@@ -19,7 +19,6 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"io"
 	"net"
 	"net/http"
 	"net/url"
@@ -28,6 +27,7 @@ import (
 
 	authchallenge "github.com/docker/distribution/registry/client/auth/challenge"
 
+	"github.com/google/go-containerregistry/internal/limitio"
 	"github.com/google/go-containerregistry/internal/redact"
 	"github.com/google/go-containerregistry/pkg/authn"
 	"github.com/google/go-containerregistry/pkg/logs"
@@ -41,6 +41,8 @@ type Token struct {
 	ExpiresIn    int    `json:"expires_in"`
 }
 
+const maxTokenBytes = 4 * 1024 * 1024
+
 // Exchange requests a registry Token with the given scopes.
 func Exchange(ctx context.Context, reg name.Registry, auth authn.Authenticator, t http.RoundTripper, scopes []string, pr *Challenge) (*Token, error) {
 	if strings.ToLower(pr.Scheme) != "bearer" {
@@ -359,7 +361,7 @@ func (bt *bearerTransport) refreshOauth(ctx context.Context) ([]byte, error) {
 		return nil, err
 	}
 
-	return io.ReadAll(resp.Body)
+	return limitio.ReadAll(resp.Body, maxTokenBytes)
 }
 
 // https://docs.docker.com/registry/spec/auth/token/
@@ -403,5 +405,5 @@ func (bt *bearerTransport) refreshBasic(ctx context.Context) ([]byte, error) {
 		return nil, err
 	}
 
-	return io.ReadAll(resp.Body)
+	return limitio.ReadAll(resp.Body, maxTokenBytes)
 }

pkg/v1/remote/transport/error.go

@@ -17,13 +17,15 @@ package transport
 import (
 	"encoding/json"
 	"fmt"
-	"io"
 	"net/http"
 	"strings"
 
+	"github.com/google/go-containerregistry/internal/limitio"
 	"github.com/google/go-containerregistry/internal/redact"
 )
 
+const maxErrorBodyBytes = 4 * 1024 * 1024
+
 // Error implements error to support the following error specification:
 // https://github.com/distribution/distribution/blob/aac2f6c8b7c5a6c60190848bab5cbeed2b5ba0a9/docs/spec/api.md#errors
 type Error struct {
@@ -161,7 +163,7 @@ func CheckError(resp *http.Response, codes ...int) error {
 		}
 	}
 
-	b, err := io.ReadAll(resp.Body)
+	b, err := limitio.ReadAll(resp.Body, maxErrorBodyBytes)
 	if err != nil {
 		return err
 	}
@@ -185,7 +187,7 @@ func makeError(resp *http.Response, body []byte) *Error {
 }
 
 func retryError(resp *http.Response) error {
-	b, err := io.ReadAll(resp.Body)
+	b, err := limitio.ReadAll(resp.Body, maxErrorBodyBytes)
 	if err != nil {
 		return err
 	}