Commit e23c15a0 authored by Tim Allclair's avatar Tim Allclair

Only check caller-controlled attribute size for max cache key

parent ea1b4eb2
...@@ -200,7 +200,7 @@ func (w *WebhookAuthorizer) Authorize(attr authorizer.Attributes) (decision auth ...@@ -200,7 +200,7 @@ func (w *WebhookAuthorizer) Authorize(attr authorizer.Attributes) (decision auth
if r.Status.Allowed { if r.Status.Allowed {
w.responseCache.Add(string(key), r.Status, w.authorizedTTL) w.responseCache.Add(string(key), r.Status, w.authorizedTTL)
} else { } else {
if len(key) <= maxUnauthorizedCachedKeySize { if callerControlledAttributeSize(attr) < maxUnauthorizedCachedKeySize {
w.responseCache.Add(string(key), r.Status, w.unauthorizedTTL) w.responseCache.Add(string(key), r.Status, w.unauthorizedTTL)
} }
} }
...@@ -268,3 +268,14 @@ func (t *subjectAccessReviewClient) Create(subjectAccessReview *authorization.Su ...@@ -268,3 +268,14 @@ func (t *subjectAccessReviewClient) Create(subjectAccessReview *authorization.Su
err := t.w.RestClient.Post().Body(subjectAccessReview).Do().Into(result) err := t.w.RestClient.Post().Body(subjectAccessReview).Do().Into(result)
return result, err return result, err
} }
func callerControlledAttributeSize(attr authorizer.Attributes) int64 {
return int64(len(attr.GetNamespace())) +
int64(len(attr.GetVerb())) +
int64(len(attr.GetAPIGroup())) +
int64(len(attr.GetAPIVersion())) +
int64(len(attr.GetResource())) +
int64(len(attr.GetSubresource())) +
int64(len(attr.GetName())) +
int64(len(attr.GetPath()))
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment