fix DoS vulnerability in the content SHA-256 processing (#8026)

This commit fixes a DoS issue that is caused by an incorrect
SHA-256 content verification during STS requests.

Before that fix clients could write arbitrary many bytes
to the server memory. This commit fixes this by limiting the
request body size.
This commit is contained in:
Andreas Auernhammer 2019-08-05 19:06:40 +02:00 committed by Harshavardhana
parent 414a7eca83
commit f6d0645a3c
2 changed files with 4 additions and 1 deletions

View File

@ -21,6 +21,7 @@ import (
"context"
"crypto/hmac"
"encoding/hex"
"io"
"io/ioutil"
"net/http"
"strconv"
@ -61,7 +62,7 @@ func skipContentSha256Cksum(r *http.Request) bool {
// Returns SHA256 for calculating canonical-request.
func getContentSha256Cksum(r *http.Request, stype serviceType) string {
if stype == serviceSTS {
payload, err := ioutil.ReadAll(r.Body)
payload, err := ioutil.ReadAll(io.LimitReader(r.Body, stsRequestBodyLimit))
if err != nil {
logger.CriticalIf(context.Background(), err)
}

View File

@ -40,6 +40,8 @@ const (
clientGrants = "AssumeRoleWithClientGrants"
webIdentity = "AssumeRoleWithWebIdentity"
assumeRole = "AssumeRole"
stsRequestBodyLimit = 10 * (1 << 20) // 10 MiB
)
// stsAPIHandlers implements and provides http handlers for AWS STS API.