mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
Merge pull request #19312 from cpuguy83/19177_fix_debug_req_dump_size
Don't dump request body when too large
This commit is contained in:
commit
59231ea6d8
2 changed files with 57 additions and 41 deletions
|
@ -1,9 +1,9 @@
|
||||||
package server
|
package server
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"bytes"
|
"bufio"
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
"io/ioutil"
|
"io"
|
||||||
"net/http"
|
"net/http"
|
||||||
"runtime"
|
"runtime"
|
||||||
"strings"
|
"strings"
|
||||||
|
@ -14,6 +14,7 @@ import (
|
||||||
"github.com/docker/docker/dockerversion"
|
"github.com/docker/docker/dockerversion"
|
||||||
"github.com/docker/docker/errors"
|
"github.com/docker/docker/errors"
|
||||||
"github.com/docker/docker/pkg/authorization"
|
"github.com/docker/docker/pkg/authorization"
|
||||||
|
"github.com/docker/docker/pkg/ioutils"
|
||||||
"github.com/docker/docker/pkg/version"
|
"github.com/docker/docker/pkg/version"
|
||||||
"golang.org/x/net/context"
|
"golang.org/x/net/context"
|
||||||
)
|
)
|
||||||
|
@ -27,14 +28,29 @@ func debugRequestMiddleware(handler httputils.APIFunc) httputils.APIFunc {
|
||||||
return func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
|
return func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
|
||||||
logrus.Debugf("%s %s", r.Method, r.RequestURI)
|
logrus.Debugf("%s %s", r.Method, r.RequestURI)
|
||||||
|
|
||||||
if r.Method == "POST" {
|
if r.Method != "POST" {
|
||||||
if err := httputils.CheckForJSON(r); err == nil {
|
return handler(ctx, w, r, vars)
|
||||||
var buf bytes.Buffer
|
}
|
||||||
if _, err := buf.ReadFrom(r.Body); err == nil {
|
if err := httputils.CheckForJSON(r); err != nil {
|
||||||
r.Body.Close()
|
return handler(ctx, w, r, vars)
|
||||||
r.Body = ioutil.NopCloser(&buf)
|
}
|
||||||
|
maxBodySize := 4096 // 4KB
|
||||||
|
if r.ContentLength > int64(maxBodySize) {
|
||||||
|
return handler(ctx, w, r, vars)
|
||||||
|
}
|
||||||
|
|
||||||
|
body := r.Body
|
||||||
|
bufReader := bufio.NewReaderSize(body, maxBodySize)
|
||||||
|
r.Body = ioutils.NewReadCloserWrapper(bufReader, func() error { return body.Close() })
|
||||||
|
|
||||||
|
b, err := bufReader.Peek(maxBodySize)
|
||||||
|
if err != io.EOF {
|
||||||
|
// either there was an error reading, or the buffer is full (in which case the request is too large)
|
||||||
|
return handler(ctx, w, r, vars)
|
||||||
|
}
|
||||||
|
|
||||||
var postForm map[string]interface{}
|
var postForm map[string]interface{}
|
||||||
if err := json.Unmarshal(buf.Bytes(), &postForm); err == nil {
|
if err := json.Unmarshal(b, &postForm); err == nil {
|
||||||
if _, exists := postForm["password"]; exists {
|
if _, exists := postForm["password"]; exists {
|
||||||
postForm["password"] = "*****"
|
postForm["password"] = "*****"
|
||||||
}
|
}
|
||||||
|
@ -45,9 +61,6 @@ func debugRequestMiddleware(handler httputils.APIFunc) httputils.APIFunc {
|
||||||
logrus.Debugf("form data: %q", postForm)
|
logrus.Debugf("form data: %q", postForm)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return handler(ctx, w, r, vars)
|
return handler(ctx, w, r, vars)
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,16 +1,19 @@
|
||||||
package authorization
|
package authorization
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"bufio"
|
||||||
"bytes"
|
"bytes"
|
||||||
"fmt"
|
"fmt"
|
||||||
"io"
|
"io"
|
||||||
"io/ioutil"
|
|
||||||
"net/http"
|
"net/http"
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
"github.com/Sirupsen/logrus"
|
"github.com/Sirupsen/logrus"
|
||||||
|
"github.com/docker/docker/pkg/ioutils"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
const maxBodySize = 1048576 // 1MB
|
||||||
|
|
||||||
// NewCtx creates new authZ context, it is used to store authorization information related to a specific docker
|
// NewCtx creates new authZ context, it is used to store authorization information related to a specific docker
|
||||||
// REST http session
|
// REST http session
|
||||||
// A context provides two method:
|
// A context provides two method:
|
||||||
|
@ -52,18 +55,12 @@ type Ctx struct {
|
||||||
func (ctx *Ctx) AuthZRequest(w http.ResponseWriter, r *http.Request) error {
|
func (ctx *Ctx) AuthZRequest(w http.ResponseWriter, r *http.Request) error {
|
||||||
var body []byte
|
var body []byte
|
||||||
if sendBody(ctx.requestURI, r.Header) {
|
if sendBody(ctx.requestURI, r.Header) {
|
||||||
var (
|
if r.ContentLength < maxBodySize {
|
||||||
err error
|
var err error
|
||||||
drainedBody io.ReadCloser
|
body, r.Body, err = drainBody(r.Body)
|
||||||
)
|
|
||||||
drainedBody, r.Body, err = drainBody(r.Body)
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
defer drainedBody.Close()
|
|
||||||
body, err = ioutil.ReadAll(drainedBody)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -126,15 +123,21 @@ func (ctx *Ctx) AuthZResponse(rm ResponseModifier, r *http.Request) error {
|
||||||
|
|
||||||
// drainBody dump the body, it reads the body data into memory and
|
// drainBody dump the body, it reads the body data into memory and
|
||||||
// see go sources /go/src/net/http/httputil/dump.go
|
// see go sources /go/src/net/http/httputil/dump.go
|
||||||
func drainBody(b io.ReadCloser) (io.ReadCloser, io.ReadCloser, error) {
|
func drainBody(body io.ReadCloser) ([]byte, io.ReadCloser, error) {
|
||||||
var buf bytes.Buffer
|
bufReader := bufio.NewReaderSize(body, maxBodySize)
|
||||||
if _, err := buf.ReadFrom(b); err != nil {
|
newBody := ioutils.NewReadCloserWrapper(bufReader, func() error { return body.Close() })
|
||||||
|
|
||||||
|
data, err := bufReader.Peek(maxBodySize)
|
||||||
|
if err != io.EOF {
|
||||||
|
// This means the request is larger than our max
|
||||||
|
if err == bufio.ErrBufferFull {
|
||||||
|
return nil, newBody, nil
|
||||||
|
}
|
||||||
|
// This means we had an error reading
|
||||||
return nil, nil, err
|
return nil, nil, err
|
||||||
}
|
}
|
||||||
if err := b.Close(); err != nil {
|
|
||||||
return nil, nil, err
|
return data, newBody, nil
|
||||||
}
|
|
||||||
return ioutil.NopCloser(&buf), ioutil.NopCloser(bytes.NewReader(buf.Bytes())), nil
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// sendBody returns true when request/response body should be sent to AuthZPlugin
|
// sendBody returns true when request/response body should be sent to AuthZPlugin
|
||||||
|
|
Loading…
Reference in a new issue