Skip to content

check bundle layer size before reading in remote.Bundle#4947

Open
alhudz wants to merge 2 commits into
sigstore:mainfrom
alhudz:bundle-layer-size-cap
Open

check bundle layer size before reading in remote.Bundle#4947
alhudz wants to merge 2 commits into
sigstore:mainfrom
alhudz:bundle-layer-size-cap

Conversation

@alhudz

@alhudz alhudz commented Jun 14, 2026

Copy link
Copy Markdown

Repro: point cosign verify at an image whose .sig-style bundle reference resolves to an image with one application/vnd.dev.sigstore.bundle layer that declares (or expands to) a large size. GetBundles -> ociremote.Bundle reads it before any validation.
Cause: remote.Bundle calls layers[0].Uncompressed() + io.ReadAll with no size cap, while the sibling registry readers (pkg/oci/internal/signature/layer.go, pkg/oci/remote/remote.go, pkg/oci/static/file.go) all gate on payloadsize.CheckSize first, so a hostile registry can make cosign allocate unbounded memory on a layer it has not yet trusted.
Fix: apply the same payloadsize.CheckSize(uint64(layer.Size())) check before reading, honouring COSIGN_MAX_ATTACHMENT_SIZE like the other layers do.

Added a regression test that fails on main (the read path is reached) and passes with the cap in place.

Signed-off-by: alhudz <al.hudz.k@gmail.com>
@alhudz alhudz requested a review from a team as a code owner June 14, 2026 16:30

@steiza steiza left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice catch! I suppose if we have size limits, we should be enforcing them consistently. We do know that some folks have very large bundles that include SBOMs though that are > 200 MB. Of course Rekor v1 has size limits as well.

Regardless, I think we want to test this change in e2e_test.go instead of in the unit test.

Comment thread pkg/oci/remote/signatures_test.go Outdated
}

func TestBundleRejectsOversizeLayer(t *testing.T) {
ri := remote.Image

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we want to be patching other modules as part of a unit test - maybe this would be better off in e2e_test.go where we have a container registry running?

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Moved it to e2e_test.go as TestBundleLayerSizeCap, so it runs against the real registry from reg(t) and drops the fake oversizeLayer / remoteImage patching. It signs a new-format bundle, then lowers COSIGN_MAX_ATTACHMENT_SIZE below the layer size and checks ociremote.Bundle returns the limit error. Fails on main (the read path is reached), passes with the cap in place.

Signed-off-by: alhudz <al.hudz.k@gmail.com>
@alhudz

alhudz commented Jun 15, 2026

Copy link
Copy Markdown
Author

On the large SBOM bundles: this just reuses the same COSIGN_MAX_ATTACHMENT_SIZE knob the other registry readers already honour, so anyone pulling >200MB content sets that env var and it covers this path too. Default stays 128MiB, same as the siblings, so the only change is that an untrusted oversize layer gets rejected before the io.ReadAll instead of after.

@alhudz

alhudz commented Jun 29, 2026

Copy link
Copy Markdown
Author

gentle ping

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants