Merging to release-5.11.1: Merging to release-5.11: [TT-16532] Bundle Verification Significantly Increases Resource Consumption (#7731) (#7732) (#7737)

Merging to release-5.11: [TT-16532] Bundle Verification Significantly
Increases Resource Consumption (#7731) (#7732)

[TT-16532] Bundle Verification Significantly Increases Resource
Consumption (#7731)

PR for https://tyktech.atlassian.net/browse/TT-16532

This PR improves the memory consumption of `Verify` method by
calculating MD5 and SHA256 hashes incrementally. `TestBundle_Verify`
also extended with new cases.

We also added a new configuration parameter to GW, called
`skip_verify_existing_plugin_bundle` to skip verify on existing bundles
on the disk. The default value is `false`.

The environment variable is this:
`TYK_GW_SKIPVERIFYEXISTINGPLUGINBUNDLE`

A benchmark is also added to the PR, you can run the benchmark on your
host:

```
go test -bench=BenchmarkBundle_Verify -benchmem -count=5 ./gateway
```

Before the fix:

```
goos: darwin
goarch: arm64
pkg: github.com/TykTechnologies/tyk/gateway
cpu: Apple M4 Pro
BenchmarkBundle_Verify
BenchmarkBundle_Verify/empty_file_list
BenchmarkBundle_Verify/empty_file_list-12         	 2589482	       446.6 ns/op	     112 B/op	       4 allocs/op
BenchmarkBundle_Verify/single_small_file_1KB
BenchmarkBundle_Verify/single_small_file_1KB-12   	  538592	      2144 ns/op	    3776 B/op	       9 allocs/op
BenchmarkBundle_Verify/single_large_file_1MB
BenchmarkBundle_Verify/single_large_file_1MB-12   	     841	   1416067 ns/op	 4194389 B/op	      20 allocs/op
BenchmarkBundle_Verify/multiple_files_10x10KB
BenchmarkBundle_Verify/multiple_files_10x10KB-12  	    8576	    135169 ns/op	  262579 B/op	      33 allocs/op
PASS
```

After fix:

```
goos: darwin
goarch: arm64
pkg: github.com/TykTechnologies/tyk/gateway
cpu: Apple M4 Pro
BenchmarkBundle_Verify
BenchmarkBundle_Verify/empty_file_list
BenchmarkBundle_Verify/empty_file_list-12         	 2702305	       410.7 ns/op	     296 B/op	       5 allocs/op
BenchmarkBundle_Verify/single_small_file_1KB
BenchmarkBundle_Verify/single_small_file_1KB-12   	  686098	      1674 ns/op	     376 B/op	       7 allocs/op
BenchmarkBundle_Verify/single_large_file_1MB
BenchmarkBundle_Verify/single_large_file_1MB-12   	    1047	   1146433 ns/op	     377 B/op	       7 allocs/op
BenchmarkBundle_Verify/multiple_files_10x10KB
BenchmarkBundle_Verify/multiple_files_10x10KB-12  	   10000	    112470 ns/op	    1099 B/op	      25 allocs/op
PASS
```




<!---TykTechnologies/jira-linter starts here-->

### Ticket Details

<details>
<summary>
<a href="https://tyktech.atlassian.net/browse/TT-16532" title="TT-16532"
target="_blank">TT-16532</a>
</summary>

|         |    |
|---------|----|
| Status  | In Test |
| Summary | [CRITICAL][regression] Bundle Verification Significantly
Increases Resource Consumption |

Generated at: 2026-02-03 23:16:53

</details>

<!---TykTechnologies/jira-linter ends here-->



[TT-16532]:

https://tyktech.atlassian.net/browse/TT-16532?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ

Co-authored-by: Burak Sezer <burak.sezer.developer@gmail.com>

[TT-16532]:
https://tyktech.atlassian.net/browse/TT-16532?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ
[TT-16532]:
https://tyktech.atlassian.net/browse/TT-16532?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ
[TT-16532]:
https://tyktech.atlassian.net/browse/TT-16532?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ

Co-authored-by: probelabs[bot] <219682034+probelabs[bot]@users.noreply.github.com>
Co-authored-by: Burak Sezer <burak.sezer.developer@gmail.com>

Author: probelabs[bot]

cli/linter/schema.json

@@ -473,6 +473,9 @@
     "bundle_insecure_skip_verify": {
       "type": "boolean"
     },
+    "skip_verify_existing_plugin_bundle": {
+      "type": "boolean"
+    },
     "enable_custom_domains": {
       "type": "boolean"
     },

config/config.go

@@ -1098,6 +1098,9 @@ type Config struct {
 	// Disable TLS validation for bundle URLs
 	BundleInsecureSkipVerify bool `bson:"bundle_insecure_skip_verify" json:"bundle_insecure_skip_verify"`
 
+	// SkipVerifyExistingPluginBundle skips checksum verification for plugin bundles already on disk.
+	SkipVerifyExistingPluginBundle bool `bson:"skip_verify_existing_plugin_bundle" json:"skip_verify_existing_plugin_bundle"`
+
 	// Set to true if you are using JSVM custom middleware or virtual endpoints.
 	EnableJSVM bool `json:"enable_jsvm"`
 

gateway/coprocess_bundle.go

@@ -4,6 +4,7 @@ import (
 	"archive/zip"
 	"bytes"
 	"crypto/md5"
+	"crypto/sha256"
 	"crypto/tls"
 	"encoding/base64"
 	"encoding/json"
@@ -16,6 +17,7 @@ import (
 	"path"
 	"path/filepath"
 	"strings"
+	"sync"
 	"time"
 
 	"github.com/cenk/backoff"
@@ -44,6 +46,13 @@ type Bundle struct {
 	Gw       *Gateway `json:"-"`
 }
 
+var bundleVerifyPool = sync.Pool{
+	New: func() interface{} {
+		buffer := make([]byte, 32*1024)
+		return &buffer
+	},
+}
+
 // Verify performs signature verification on the bundle file.
 func (b *Bundle) Verify(bundleFs afero.Fs) error {
 	log.WithFields(logrus.Fields{
@@ -69,23 +78,31 @@ func (b *Bundle) Verify(bundleFs afero.Fs) error {
 		}
 	}
 
-	var bundleData bytes.Buffer
+	md5Hash := md5.New()
+	sha256Hash := sha256.New()
+
+	var w io.Writer = md5Hash
+	if useSignature {
+		w = io.MultiWriter(md5Hash, sha256Hash)
+	}
+
+	buf := bundleVerifyPool.Get().(*[]byte)
+	defer bundleVerifyPool.Put(buf)
 
 	for _, f := range b.Manifest.FileList {
 		extractedPath := filepath.Join(b.Path, f)
-
-		f, err := bundleFs.Open(extractedPath)
+		file, err := bundleFs.Open(extractedPath)
 		if err != nil {
 			return err
 		}
-		_, err = io.Copy(&bundleData, f)
-		f.Close()
+		_, err = io.CopyBuffer(w, file, *buf)
+		file.Close()
 		if err != nil {
 			return err
 		}
 	}
 
-	checksum := fmt.Sprintf("%x", md5.Sum(bundleData.Bytes()))
+	checksum := fmt.Sprintf("%x", md5Hash.Sum(nil))
 	if checksum != b.Manifest.Checksum {
 		return errors.New("Invalid checksum")
 	}
@@ -95,7 +112,7 @@ func (b *Bundle) Verify(bundleFs afero.Fs) error {
 		if err != nil {
 			return err
 		}
-		return verifier.Verify(bundleData.Bytes(), signed)
+		return verifier.VerifyHash(sha256Hash.Sum(nil), signed)
 	}
 	return nil
 }
@@ -426,7 +443,7 @@ func (gw *Gateway) loadBundleWithFs(spec *APISpec, bundleFs afero.Fs) error {
 			Gw:   gw,
 		}
 
-		err = loadBundleManifest(bundleFs, &bundle, spec, false)
+		err = loadBundleManifest(bundleFs, &bundle, spec, gw.GetConfig().SkipVerifyExistingPluginBundle)
 		if err != nil {
 			log.WithFields(logrus.Fields{
 				"prefix": "main",

gateway/coprocess_bundle_test.go

@@ -498,18 +498,19 @@ func TestBundle_Pull(t *testing.T) {
 }
 
 func TestBundle_Verify(t *testing.T) {
-
 	tests := []struct {
-		name    string
-		bundle  Bundle
-		wantErr bool
+		name           string
+		bundle         Bundle
+		setupFs        func(afero.Fs, string)
+		usePublicKey   bool
+		wantErr        bool
+		wantErrContain string
 	}{
 		{
 			name: "bundle with invalid public key path",
 			bundle: Bundle{
 				Name: "test",
 				Data: []byte("test"),
-				Path: "/test/test.zip",
 				Spec: &APISpec{
 					APIDefinition: &apidef.APIDefinition{
 						CustomMiddlewareBundle: "test-mw-bundle",
@@ -520,14 +521,14 @@ func TestBundle_Verify(t *testing.T) {
 				},
 				Gw: &Gateway{},
 			},
-			wantErr: true,
+			usePublicKey: true,
+			wantErr:      true,
 		},
 		{
 			name: "bundle without signature",
 			bundle: Bundle{
 				Name: "test",
 				Data: []byte("test"),
-				Path: "/test/test.zip",
 				Spec: &APISpec{
 					APIDefinition: &apidef.APIDefinition{
 						CustomMiddlewareBundle: "test-mw-bundle",
@@ -538,20 +539,142 @@ func TestBundle_Verify(t *testing.T) {
 				},
 				Gw: &Gateway{},
 			},
-			wantErr: true,
+			usePublicKey: true,
+			wantErr:      true,
+		},
+		{
+			name: "valid checksum with empty file list",
+			bundle: Bundle{
+				Name: "test",
+				Spec: &APISpec{
+					APIDefinition: &apidef.APIDefinition{
+						CustomMiddlewareBundle: "test-mw-bundle",
+					},
+				},
+				Manifest: apidef.BundleManifest{
+					Checksum: "d41d8cd98f00b204e9800998ecf8427e", // MD5 of the empty string
+					FileList: []string{},
+				},
+				Gw: &Gateway{},
+			},
+			usePublicKey: false,
+			wantErr:      false,
+		},
+		{
+			name: "invalid checksum returns error",
+			bundle: Bundle{
+				Name: "test",
+				Spec: &APISpec{
+					APIDefinition: &apidef.APIDefinition{
+						CustomMiddlewareBundle: "test-mw-bundle",
+					},
+				},
+				Manifest: apidef.BundleManifest{
+					Checksum: "invalidchecksum123",
+					FileList: []string{},
+				},
+				Gw: &Gateway{},
+			},
+			usePublicKey:   false,
+			wantErr:        true,
+			wantErrContain: "Invalid checksum",
+		},
+		{
+			name: "file not found in file list",
+			bundle: Bundle{
+				Name: "test",
+				Spec: &APISpec{
+					APIDefinition: &apidef.APIDefinition{
+						CustomMiddlewareBundle: "test-mw-bundle",
+					},
+				},
+				Manifest: apidef.BundleManifest{
+					Checksum: "d41d8cd98f00b204e9800998ecf8427e",
+					FileList: []string{"nonexistent.py"},
+				},
+				Gw: &Gateway{},
+			},
+			setupFs:      func(fs afero.Fs, bundlePath string) {},
+			usePublicKey: false,
+			wantErr:      true,
+		},
+		{
+			name: "valid checksum with multiple files",
+			bundle: Bundle{
+				Name: "test",
+				Spec: &APISpec{
+					APIDefinition: &apidef.APIDefinition{
+						CustomMiddlewareBundle: "test-mw-bundle",
+					},
+				},
+				Manifest: apidef.BundleManifest{
+					// MD5 of "file1 contentfile2 content"
+					Checksum: "1510d0e71b31de1c78fd9e823a7c6de9",
+					FileList: []string{"file1.py", "file2.py"},
+				},
+				Gw: &Gateway{},
+			},
+			setupFs: func(fs afero.Fs, bundlePath string) {
+				assert.NoError(t, afero.WriteFile(fs, filepath.Join(bundlePath, "file1.py"), []byte("file1 content"), 0644))
+				assert.NoError(t, afero.WriteFile(fs, filepath.Join(bundlePath, "file2.py"), []byte("file2 content"), 0644))
+			},
+			usePublicKey: false,
+			wantErr:      false,
+		},
+		{
+			name: "invalid base64 signature returns error",
+			bundle: Bundle{
+				Name: "test",
+				Spec: &APISpec{
+					APIDefinition: &apidef.APIDefinition{
+						CustomMiddlewareBundle: "test-mw-bundle",
+					},
+				},
+				Manifest: apidef.BundleManifest{
+					Checksum:  "d41d8cd98f00b204e9800998ecf8427e",
+					FileList:  []string{},
+					Signature: "!!!invalid-base64!!!",
+				},
+				Gw: &Gateway{},
+			},
+			usePublicKey: true,
+			wantErr:      true,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			b := tt.bundle
 
 			globalConf := config.Config{}
-			globalConf.PublicKeyPath = "test"
+			if tt.usePublicKey {
+				pemfile := createPEMFile(t)
+				t.Cleanup(func() {
+					_ = pemfile.Close()
+					_ = os.Remove(pemfile.Name())
+				})
+				globalConf.PublicKeyPath = pemfile.Name()
+			}
 			b.Gw.SetConfig(globalConf)
 
-			if err := b.Verify(afero.NewOsFs()); (err != nil) != tt.wantErr {
+			fs := afero.NewMemMapFs()
+			bundlePath := "/test/bundles/test-bundle"
+			b.Path = bundlePath
+
+			if err := fs.MkdirAll(bundlePath, 0755); err != nil {
+				t.Fatalf("failed to create bundle directory: %v", err)
+			}
+
+			if tt.setupFs != nil {
+				tt.setupFs(fs, bundlePath)
+			}
+
+			err := b.Verify(fs)
+			if (err != nil) != tt.wantErr {
 				t.Errorf("Bundle.Verify() error = %v, wantErr %v", err, tt.wantErr)
 			}
+			if tt.wantErrContain != "" && err != nil {
+				assert.ErrorContains(t, err, tt.wantErrContain)
+			}
 		})
 	}
 }
@@ -583,3 +706,84 @@ func createPEMFile(t *testing.T) *os.File {
 
 	return tmpfile
 }
+
+func setupBenchmarkBundle(b *testing.B, fs afero.Fs, bundlePath string, fileSize, numFiles int) *Bundle {
+	b.Helper()
+
+	if err := fs.MkdirAll(bundlePath, 0755); err != nil {
+		b.Fatalf("failed to create bundle directory: %v", err)
+	}
+
+	fileContent := make([]byte, fileSize)
+	for i := range fileContent {
+		fileContent[i] = 'A'
+	}
+
+	fileList := make([]string, numFiles)
+	md5Hash := md5.New()
+
+	for i := 0; i < numFiles; i++ {
+		fileName := fmt.Sprintf("file%d.py", i)
+		fileList[i] = fileName
+		filePath := filepath.Join(bundlePath, fileName)
+
+		if err := afero.WriteFile(fs, filePath, fileContent, 0644); err != nil {
+			b.Fatalf("failed to write file %s: %v", fileName, err)
+		}
+
+		md5Hash.Write(fileContent)
+	}
+
+	checksum := fmt.Sprintf("%x", md5Hash.Sum(nil))
+
+	if numFiles == 0 {
+		checksum = "d41d8cd98f00b204e9800998ecf8427e"
+	}
+
+	return &Bundle{
+		Name: "benchmark-bundle",
+		Path: bundlePath,
+		Spec: &APISpec{
+			APIDefinition: &apidef.APIDefinition{
+				CustomMiddlewareBundle: "benchmark-bundle.zip",
+			},
+		},
+		Manifest: apidef.BundleManifest{
+			Checksum: checksum,
+			FileList: fileList,
+		},
+		Gw: &Gateway{},
+	}
+}
+
+func BenchmarkBundle_Verify(b *testing.B) {
+	benchmarks := []struct {
+		name     string
+		fileSize int
+		numFiles int
+	}{
+		{"empty_file_list", 0, 0},
+		{"single_small_file_1KB", 1024, 1},
+		{"single_large_file_1MB", 1024 * 1024, 1},
+		{"multiple_files_10x10KB", 10 * 1024, 10},
+	}
+
+	for _, bm := range benchmarks {
+		b.Run(bm.name, func(b *testing.B) {
+			// Setup bundle and filesystem
+			fs := afero.NewMemMapFs()
+			bundlePath := "/test/bundles/benchmark-bundle"
+			bundle := setupBenchmarkBundle(b, fs, bundlePath, bm.fileSize, bm.numFiles)
+
+			// Configure GW with no public key (no signature verification)
+			bundle.Gw.SetConfig(config.Config{})
+
+			b.ResetTimer()
+			b.ReportAllocs()
+
+			for i := 0; i < b.N; i++ {
+				_ = bundle.Verify(fs)
+			}
+		})
+	}
+}

go.mod

@@ -24,7 +24,7 @@ require (
 	github.com/TykTechnologies/drl v0.0.0-20231218155806-88e4363884a2
 	github.com/TykTechnologies/goautosocket v0.0.0-20190430121222-97bfa5e7e481
 	github.com/TykTechnologies/gorpc v0.0.0-20250214161245-e9f3f088e8c6
-	github.com/TykTechnologies/goverify v0.0.0-20220808203004-1486f89e7708
+	github.com/TykTechnologies/goverify v0.0.0-20260203113354-7a104729566e
 	github.com/TykTechnologies/graphql-go-tools v1.6.2-0.20251104074758-abfe5c458f3b
 	github.com/TykTechnologies/graphql-translator v0.0.0-20250602105400-41c2e7514a36
 	github.com/TykTechnologies/murmur3 v0.0.0-20230310161213-aad17efd5632

go.sum

@@ -812,8 +812,8 @@ github.com/TykTechnologies/goautosocket v0.0.0-20190430121222-97bfa5e7e481 h1:fP
 github.com/TykTechnologies/goautosocket v0.0.0-20190430121222-97bfa5e7e481/go.mod h1:CtF8OunV123VfKa8Z9kKcIPHgcd67hSAwFMLlS7FvS4=
 github.com/TykTechnologies/gorpc v0.0.0-20250214161245-e9f3f088e8c6 h1:wwt23wdyiZg386taFYNx8NB0jNdtTe66yUcq7vKq9L8=
 github.com/TykTechnologies/gorpc v0.0.0-20250214161245-e9f3f088e8c6/go.mod h1:v6v7Mlj08+EmEcXOfpuTxGt2qYU9yhqqtv4QF9Wf50E=
-github.com/TykTechnologies/goverify v0.0.0-20220808203004-1486f89e7708 h1:cmXjlMzcexhc/Cg+QB/c2CPUVs1ux9xn6162qaf/LC4=
-github.com/TykTechnologies/goverify v0.0.0-20220808203004-1486f89e7708/go.mod h1:mkS8jKcz8otdfEXhJs1QQ/DKoIY1NFFsRPKS0RwQENI=
+github.com/TykTechnologies/goverify v0.0.0-20260203113354-7a104729566e h1:wbd35YYCywZbgc4Fk/G2pQHnvwYzjedrw8pNzUsVowg=
+github.com/TykTechnologies/goverify v0.0.0-20260203113354-7a104729566e/go.mod h1:WtiSLIlItUVsHyHQB1NG+de/L4/PTtmZWc9CnzTRBLs=
 github.com/TykTechnologies/graphql-go-tools v1.6.2-0.20251104074758-abfe5c458f3b h1:Qepgu3gphc87YOx7lQ66m5QRfhXy8Xy5PmSZf1qSOoc=
 github.com/TykTechnologies/graphql-go-tools v1.6.2-0.20251104074758-abfe5c458f3b/go.mod h1:bvVafmGebtdjIFG2bXkLd+O1jOjjU/3To+mQHcLr4KI=
 github.com/TykTechnologies/graphql-go-tools/v2 v2.0.0-20250926102005-c54e73aae17d h1:bK9T78hExbTuDK4UaBuGi9aL28hK68Uw3OyNZswdPcA=