fix: limit HTTP response body reads to prevent OOM#2296
Merged
Subserial merged 2 commits intoMay 12, 2026
Conversation
Three unbounded io.ReadAll calls on HTTP response bodies from untrusted registries could allow a malicious or compromised registry to exhaust the client's memory: - pkg/v1/remote/referrers.go: Referrers API response body read with no size limit, unlike the manifest fetch path which caps at manifestLimit (100 MiB). Apply the same manifestLimit cap. - pkg/v1/remote/transport/error.go: CheckError and retryError read error response bodies unboundedly. These fire on any non-2xx response, including the initial auth challenge (401). Apply a 64 KiB cap via maxErrorBodySize — sufficient for any structured registry error JSON. - pkg/v1/remote/transport/bearer.go: refreshOauth and refreshBasic read token endpoint responses unboundedly. Apply the same 64 KiB cap.
82616d6 to
cbd9b4e
Compare
Subserial
reviewed
May 12, 2026
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #2296 +/- ##
=======================================
Coverage 56.70% 56.70%
=======================================
Files 165 165
Lines 11239 11239
=======================================
Hits 6373 6373
Misses 4106 4106
Partials 760 760 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Token endpoint success responses are not errors; introduce a separate constant so the limit's purpose is clear at the call site.
Subserial
approved these changes
May 12, 2026
Subserial
pushed a commit
to Subserial/go-containerregistry
that referenced
this pull request
May 15, 2026
* fix: limit HTTP response body reads to prevent OOM Three unbounded io.ReadAll calls on HTTP response bodies from untrusted registries could allow a malicious or compromised registry to exhaust the client's memory: - pkg/v1/remote/referrers.go: Referrers API response body read with no size limit, unlike the manifest fetch path which caps at manifestLimit (100 MiB). Apply the same manifestLimit cap. - pkg/v1/remote/transport/error.go: CheckError and retryError read error response bodies unboundedly. These fire on any non-2xx response, including the initial auth challenge (401). Apply a 64 KiB cap via maxErrorBodySize — sufficient for any structured registry error JSON. - pkg/v1/remote/transport/bearer.go: refreshOauth and refreshBasic read token endpoint responses unboundedly. Apply the same 64 KiB cap. * transport: use dedicated maxTokenBodySize for bearer token reads Token endpoint success responses are not errors; introduce a separate constant so the limit's purpose is clear at the call site. --------- Co-authored-by: evilgensec <sujaltuladhar1231@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Three paths read HTTP response bodies from a registry with no size limit, allowing a malicious or compromised registry to exhaust client memory:
1.
pkg/v1/remote/referrers.goThe manifest fetch path caps at
manifestLimit(100 MiB), but the Referrers fast path bypasses this entirely.2.
pkg/v1/remote/transport/error.go—CheckErrorandretryErrorTriggered before any authentication succeeds (e.g., on the initial 401 challenge), so a malicious registry can exhaust memory without the client ever authenticating.
3.
pkg/v1/remote/transport/bearer.go—refreshOauthandrefreshBasicA registry whose
WWW-Authenticaterealmpoints to a large-response server (or a compromised token endpoint) can cause OOM during every token refresh.Fix
manifestLimit(100 MiB) constant.maxErrorBodySize(64 KiB) — sufficient for any structured registry error JSON or token response.All existing tests pass.