Commit e23c15a0 authored by Tim Allclair's avatar Tim Allclair

Only check caller-controlled attribute size for max cache key

parent ea1b4eb2
......@@ -200,7 +200,7 @@ func (w *WebhookAuthorizer) Authorize(attr authorizer.Attributes) (decision auth
if r.Status.Allowed {
w.responseCache.Add(string(key), r.Status, w.authorizedTTL)
} else {
if len(key) <= maxUnauthorizedCachedKeySize {
if callerControlledAttributeSize(attr) < maxUnauthorizedCachedKeySize {
w.responseCache.Add(string(key), r.Status, w.unauthorizedTTL)
}
}
......@@ -268,3 +268,14 @@ func (t *subjectAccessReviewClient) Create(subjectAccessReview *authorization.Su
err := t.w.RestClient.Post().Body(subjectAccessReview).Do().Into(result)
return result, err
}
func callerControlledAttributeSize(attr authorizer.Attributes) int64 {
return int64(len(attr.GetNamespace())) +
int64(len(attr.GetVerb())) +
int64(len(attr.GetAPIGroup())) +
int64(len(attr.GetAPIVersion())) +
int64(len(attr.GetResource())) +
int64(len(attr.GetSubresource())) +
int64(len(attr.GetName())) +
int64(len(attr.GetPath()))
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment