Add max buffering to SFTP (#19848)

Prevent OOM by adversarial use of SFTP upload by setting a 100MB max upload buffer.
This commit is contained in:
Klaus Post 2024-05-31 14:28:07 -07:00 committed by GitHub
parent d67bccf861
commit d3ae0aaad3
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194

View File

@ -39,6 +39,10 @@ import (
"golang.org/x/crypto/ssh"
)
// Maximum write offset for incoming SFTP blocks.
// Set to 100MiB to prevent hostile DOS attacks.
const ftpMaxWriteOffset = 100 << 20
type sftpDriver struct {
permissions *ssh.Permissions
endpoint string
@ -269,6 +273,9 @@ func (w *writerAt) WriteAt(b []byte, offset int64) (n int, err error) {
n, err = w.w.Write(b)
w.nextOffset += int64(n)
} else {
if offset > w.nextOffset+ftpMaxWriteOffset {
return 0, fmt.Errorf("write offset %d is too far ahead of next offset %d", offset, w.nextOffset)
}
w.buffer[offset] = make([]byte, len(b))
copy(w.buffer[offset], b)
n = len(b)