ClusterTrustBundle: Enforce max size during validation

ahmedtd · ahmedtd · commit 96e610ac188f · 2023-11-03T11:40:49.000-07:00
diff --git a/pkg/apis/certificates/types.go b/pkg/apis/certificates/types.go
@@ -277,3 +277,6 @@ type ClusterTrustBundleList struct {
 	// Items is a collection of ClusterTrustBundle objects
 	Items []ClusterTrustBundle
 }
+
+// MaxTrustBundleSize is the maximimum size of a single trust bundle field.
+const MaxTrustBundleSize = 1 * 1024 * 1024
diff --git a/pkg/apis/certificates/validation/validation.go b/pkg/apis/certificates/validation/validation.go
@@ -508,6 +508,11 @@ func ValidateClusterTrustBundleUpdate(newBundle, oldBundle *certificates.Cluster
 func validateTrustBundle(path *field.Path, in string) field.ErrorList {
 	var allErrors field.ErrorList
 
+	if len(in) > certificates.MaxTrustBundleSize {
+		allErrors = append(allErrors, field.TooLong(path, fmt.Sprintf("<value omitted, len %d>", len(in)), certificates.MaxTrustBundleSize))
+		return allErrors
+	}
+
 	blockDedupe := map[string][]int{}
 
 	rest := []byte(in)
diff --git a/pkg/apis/certificates/validation/validation_test.go b/pkg/apis/certificates/validation/validation_test.go

Original file line number	Diff line number	Diff line change
`@@ -277,3 +277,6 @@ type ClusterTrustBundleList struct {`
`277`	`277`	`// Items is a collection of ClusterTrustBundle objects`
`278`	`278`	`Items []ClusterTrustBundle`
`279`	`279`	`}`
	`280`	`+`
	`281`	`+// MaxTrustBundleSize is the maximimum size of a single trust bundle field.`
	`282`	`+const MaxTrustBundleSize = 1 * 1024 * 1024`