Limit YAML/JSON decode size

cmd/kube-apiserver/app/options/options_test.go

@@ -130,8 +130,8 @@ func TestAddFlags(t *testing.T) {
 			MaxMutatingRequestsInFlight: 200,
 			RequestTimeout:              time.Duration(2) * time.Minute,
 			MinRequestTimeout:           1800,
-			JSONPatchMaxCopyBytes:       int64(100 * 1024 * 1024),
-			MaxRequestBodyBytes:         int64(100 * 1024 * 1024),
+			JSONPatchMaxCopyBytes:       int64(3 * 1024 * 1024),
+			MaxRequestBodyBytes:         int64(3 * 1024 * 1024),
 		},
 		Admission: &kubeoptions.AdmissionOptions{
 			GenericAdmission: &apiserveroptions.AdmissionOptions{

staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/apiserver.go

@@ -201,6 +201,7 @@ func (c completedConfig) New(delegationTarget genericapiserver.DelegationTarget)
 		c.GenericConfig.RequestTimeout,
 		time.Duration(c.GenericConfig.MinRequestTimeout)*time.Second,
 		apiGroupInfo.StaticOpenAPISpec,
+		c.GenericConfig.MaxRequestBodyBytes,
 	)
 	if err != nil {
 		return nil, err

staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/customresource_handler.go

@@ -125,6 +125,10 @@ type crdHandler struct {
 	// purpose of managing fields, it is how CR handlers get the structure
 	// of TypeMeta and ObjectMeta
 	staticOpenAPISpec *spec.Swagger
+
+	// The limit on the request size that would be accepted and decoded in a write request
+	// 0 means no limit.
+	maxRequestBodyBytes int64
 }
 
 // crdInfo stores enough information to serve the storage for the custom resource
@@ -169,7 +173,8 @@ func NewCustomResourceDefinitionHandler(
 	authorizer authorizer.Authorizer,
 	requestTimeout time.Duration,
 	minRequestTimeout time.Duration,
-	staticOpenAPISpec *spec.Swagger) (*crdHandler, error) {
+	staticOpenAPISpec *spec.Swagger,
+	maxRequestBodyBytes int64) (*crdHandler, error) {
 	ret := &crdHandler{
 		versionDiscoveryHandler: versionDiscoveryHandler,
 		groupDiscoveryHandler:   groupDiscoveryHandler,
@@ -185,6 +190,7 @@ func NewCustomResourceDefinitionHandler(
 		requestTimeout:          requestTimeout,
 		minRequestTimeout:       minRequestTimeout,
 		staticOpenAPISpec:       staticOpenAPISpec,
+		maxRequestBodyBytes:     maxRequestBodyBytes,
 	}
 	crdInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
 		AddFunc:    ret.createCustomResourceDefinition,
@@ -812,6 +818,8 @@ func (r *crdHandler) getOrCreateServingInfoFor(uid types.UID, name string) (*crd
 			TableConvertor: storages[v.Name].CustomResource,
 
 			Authorizer: r.authorizer,
+
+			MaxRequestBodyBytes: r.maxRequestBodyBytes,
 		}
 		if utilfeature.DefaultFeatureGate.Enabled(features.ServerSideApply) {
 			reqScope := *requestScopes[v.Name]

staging/src/k8s.io/apiextensions-apiserver/test/integration/BUILD

@@ -15,6 +15,7 @@ go_test(
         "change_test.go",
         "defaulting_test.go",
         "finalization_test.go",
+        "limit_test.go",
         "objectmeta_test.go",
         "pruning_test.go",
         "registration_test.go",

staging/src/k8s.io/apiextensions-apiserver/test/integration/limit_test.go

@@ -0,0 +1,216 @@
+/*
+Copyright 2019 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package integration
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+
+	"k8s.io/client-go/dynamic"
+
+	apiextensionsv1beta1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
+	"k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
+	"k8s.io/apiextensions-apiserver/test/integration/fixtures"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/types"
+)
+
+func TestLimits(t *testing.T) {
+	tearDown, config, _, err := fixtures.StartDefaultServer(t)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer tearDown()
+
+	apiExtensionClient, err := clientset.NewForConfig(config)
+	if err != nil {
+		t.Fatal(err)
+	}
+	dynamicClient, err := dynamic.NewForConfig(config)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	noxuDefinition := fixtures.NewNoxuCustomResourceDefinition(apiextensionsv1beta1.ClusterScoped)
+	noxuDefinition, err = fixtures.CreateNewCustomResourceDefinition(noxuDefinition, apiExtensionClient, dynamicClient)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	kind := noxuDefinition.Spec.Names.Kind
+	apiVersion := noxuDefinition.Spec.Group + "/" + noxuDefinition.Spec.Version
+
+	rest := apiExtensionClient.Discovery().RESTClient()
+
+	// Create YAML over 3MB limit
+	t.Run("create YAML over limit", func(t *testing.T) {
+		yamlBody := []byte(fmt.Sprintf(`
+apiVersion: %s
+kind: %s
+metadata:
+  name: test
+values: `+strings.Repeat("[", 3*1024*1024), apiVersion, kind))
+
+		_, err := rest.Post().
+			SetHeader("Accept", "application/yaml").
+			SetHeader("Content-Type", "application/yaml").
+			AbsPath("/apis", noxuDefinition.Spec.Group, noxuDefinition.Spec.Version, noxuDefinition.Spec.Names.Plural).
+			Body(yamlBody).
+			DoRaw()
+		if !apierrors.IsRequestEntityTooLargeError(err) {
+			t.Errorf("expected too large error, got %v", err)
+		}
+	})
+
+	// Create YAML just under 3MB limit, nested
+	t.Run("create YAML doc under limit, nested", func(t *testing.T) {
+		yamlBody := []byte(fmt.Sprintf(`
+	apiVersion: %s
+	kind: %s
+	metadata:
+	  name: test
+	values: `+strings.Repeat("[", 3*1024*1024/2-500)+strings.Repeat("]", 3*1024*1024/2-500), apiVersion, kind))
+
+		_, err := rest.Post().
+			SetHeader("Accept", "application/yaml").
+			SetHeader("Content-Type", "application/yaml").
+			AbsPath("/apis", noxuDefinition.Spec.Group, noxuDefinition.Spec.Version, noxuDefinition.Spec.Names.Plural).
+			Body(yamlBody).
+			DoRaw()
+		if !apierrors.IsBadRequest(err) {
+			t.Errorf("expected bad request, got %v", err)
+		}
+	})
+
+	// Create YAML just under 3MB limit, not nested
+	t.Run("create YAML doc under limit, not nested", func(t *testing.T) {
+		yamlBody := []byte(fmt.Sprintf(`
+		apiVersion: %s
+		kind: %s
+		metadata:
+		  name: test
+		values: `+strings.Repeat("[", 3*1024*1024-1000), apiVersion, kind))
+
+		_, err := rest.Post().
+			SetHeader("Accept", "application/yaml").
+			SetHeader("Content-Type", "application/yaml").
+			AbsPath("/apis", noxuDefinition.Spec.Group, noxuDefinition.Spec.Version, noxuDefinition.Spec.Names.Plural).
+			Body(yamlBody).
+			DoRaw()
+		if !apierrors.IsBadRequest(err) {
+			t.Errorf("expected bad request, got %v", err)
+		}
+	})
+
+	// Create JSON over 3MB limit
+	t.Run("create JSON over limit", func(t *testing.T) {
+		jsonBody := []byte(fmt.Sprintf(`{
+	"apiVersion": %q,
+	"kind": %q,
+	"metadata": {
+	  "name": "test"
+	},
+	"values": `+strings.Repeat("[", 3*1024*1024/2)+strings.Repeat("]", 3*1024*1024/2)+"}", apiVersion, kind))
+
+		_, err := rest.Post().
+			SetHeader("Accept", "application/json").
+			SetHeader("Content-Type", "application/json").
+			AbsPath("/apis", noxuDefinition.Spec.Group, noxuDefinition.Spec.Version, noxuDefinition.Spec.Names.Plural).
+			Body(jsonBody).
+			DoRaw()
+		if !apierrors.IsRequestEntityTooLargeError(err) {
+			t.Errorf("expected too large error, got %v", err)
+		}
+	})
+
+	// Create JSON just under 3MB limit, nested
+	t.Run("create JSON doc under limit, nested", func(t *testing.T) {
+		jsonBody := []byte(fmt.Sprintf(`{
+		"apiVersion": %q,
+		"kind": %q,
+		"metadata": {
+		  "name": "test"
+		},
+		"values": `+strings.Repeat("[", 3*1024*1024/2-500)+strings.Repeat("]", 3*1024*1024/2-500)+"}", apiVersion, kind))
+
+		_, err := rest.Post().
+			SetHeader("Accept", "application/json").
+			SetHeader("Content-Type", "application/json").
+			AbsPath("/apis", noxuDefinition.Spec.Group, noxuDefinition.Spec.Version, noxuDefinition.Spec.Names.Plural).
+			Body(jsonBody).
+			DoRaw()
+		if !apierrors.IsBadRequest(err) {
+			t.Errorf("expected bad request, got %v", err)
+		}
+	})
+
+	// Create JSON just under 3MB limit, not nested
+	t.Run("create JSON doc under limit, not nested", func(t *testing.T) {
+		jsonBody := []byte(fmt.Sprintf(`{
+			"apiVersion": %q,
+			"kind": %q,
+			"metadata": {
+			  "name": "test"
+			},
+			"values": `+strings.Repeat("[", 3*1024*1024-1000)+"}", apiVersion, kind))
+
+		_, err := rest.Post().
+			SetHeader("Accept", "application/json").
+			SetHeader("Content-Type", "application/json").
+			AbsPath("/apis", noxuDefinition.Spec.Group, noxuDefinition.Spec.Version, noxuDefinition.Spec.Names.Plural).
+			Body(jsonBody).
+			DoRaw()
+		if !apierrors.IsBadRequest(err) {
+			t.Errorf("expected bad request, got %v", err)
+		}
+	})
+
+	// Create instance to allow patching
+	{
+		jsonBody := []byte(fmt.Sprintf(`{"apiVersion": %q, "kind": %q, "metadata": {"name": "test"}}`, apiVersion, kind))
+		_, err := rest.Post().AbsPath("/apis", noxuDefinition.Spec.Group, noxuDefinition.Spec.Version, noxuDefinition.Spec.Names.Plural).Body(jsonBody).DoRaw()
+		if err != nil {
+			t.Fatalf("error creating object: %v", err)
+		}
+	}
+
+	t.Run("JSONPatchType nested patch under limit", func(t *testing.T) {
+		patchBody := []byte(`[{"op":"add","path":"/foo","value":` + strings.Repeat("[", 3*1024*1024/2-100) + strings.Repeat("]", 3*1024*1024/2-100) + `}]`)
+		err = rest.Patch(types.JSONPatchType).AbsPath("/apis", noxuDefinition.Spec.Group, noxuDefinition.Spec.Version, noxuDefinition.Spec.Names.Plural, "test").
+			Body(patchBody).Do().Error()
+		if !apierrors.IsBadRequest(err) {
+			t.Errorf("expected success or bad request err, got %v", err)
+		}
+	})
+	t.Run("MergePatchType nested patch under limit", func(t *testing.T) {
+		patchBody := []byte(`{"value":` + strings.Repeat("[", 3*1024*1024/2-100) + strings.Repeat("]", 3*1024*1024/2-100) + `}`)
+		err = rest.Patch(types.MergePatchType).AbsPath("/apis", noxuDefinition.Spec.Group, noxuDefinition.Spec.Version, noxuDefinition.Spec.Names.Plural, "test").
+			Body(patchBody).Do().Error()
+		if !apierrors.IsBadRequest(err) {
+			t.Errorf("expected success or bad request err, got %v", err)
+		}
+	})
+	t.Run("ApplyPatchType nested patch under limit", func(t *testing.T) {
+		patchBody := []byte(`{"value":` + strings.Repeat("[", 3*1024*1024/2-100) + strings.Repeat("]", 3*1024*1024/2-100) + `}`)
+		err = rest.Patch(types.ApplyPatchType).Param("fieldManager", "test").AbsPath("/apis", noxuDefinition.Spec.Group, noxuDefinition.Spec.Version, noxuDefinition.Spec.Names.Plural, "test").
+			Body(patchBody).Do().Error()
+		if !apierrors.IsBadRequest(err) {
+			t.Errorf("expected bad request err, got %#v", err)
+		}
+	})
+}

staging/src/k8s.io/apimachinery/pkg/runtime/serializer/json/BUILD

@@ -9,6 +9,7 @@ load(
 go_test(
     name = "go_default_test",
     srcs = [
+        "json_limit_test.go",
         "json_test.go",
         "meta_test.go",
     ],
@@ -17,6 +18,7 @@ go_test(
         "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/diff:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/util/json:go_default_library",
     ],
 )
 

staging/src/k8s.io/apimachinery/pkg/runtime/serializer/json/json.go

@@ -122,7 +122,27 @@ func (customNumberDecoder) Decode(ptr unsafe.Pointer, iter *jsoniter.Iterator) {
 		}
 		iter.ReportError("DecodeNumber", err.Error())
 	default:
+		// init depth, if needed
+		if iter.Attachment == nil {
+			iter.Attachment = int(1)
+		}
+
+		// remember current depth
+		originalAttachment := iter.Attachment
+
+		// increment depth before descending
+		if i, ok := iter.Attachment.(int); ok {
+			iter.Attachment = i + 1
+			if i > 10000 {
+				iter.ReportError("parse", "exceeded max depth")
+				return
+			}
+		}
+
 		*(*interface{})(ptr) = iter.Read()
+
+		// restore current depth
+		iter.Attachment = originalAttachment
 	}
 }