Refactor DoS limits to separate func (#364)

* Refactor DoS limits to separate func Signed-off-by: Cody Soyland <codysoyland@github.com> * Use condensed syntax Signed-off-by: Cody Soyland <codysoyland@github.com> --------- Signed-off-by: Cody Soyland <codysoyland@github.com>
sigstore · Dec 20, 2024 · cd3c718 · cd3c718
1 parent f46b272
commit cd3c718
Showing 1 changed file with 21 additions and 17 deletions.
diff --git a/pkg/verify/signature.go b/pkg/verify/signature.go
@@ -24,6 +24,7 @@ import (
 	"hash"
 	"io"
 
+	in_toto "github.com/in-toto/attestation/go/v1"
 	"github.com/secure-systems-lab/go-securesystemslib/dsse"
 	"github.com/sigstore/sigstore-go/pkg/root"
 	"github.com/sigstore/sigstore/pkg/signature"
@@ -142,6 +143,10 @@ func verifyEnvelopeWithArtifact(verifier signature.Verifier, envelope EnvelopeCo
 	if err != nil {
 		return fmt.Errorf("could not verify artifact: unable to extract statement from envelope: %w", err)
 	}
+	if err = limitSubjects(statement); err != nil {
+		return err
+	}
+
 	var artifactDigestAlgorithm string
 	var artifactDigest []byte
 
@@ -182,17 +187,8 @@ func verifyEnvelopeWithArtifact(verifier signature.Verifier, envelope EnvelopeCo
 	}
 	artifactDigest = hasher.Sum(nil)
 
-	// limit the number of subjects to prevent DoS
-	if len(statement.Subject) > maxAllowedSubjects {
-		return fmt.Errorf("too many subjects: %d > %d", len(statement.Subject), maxAllowedSubjects)
-	}
-
 	// Look for artifact digest in statement
 	for _, subject := range statement.Subject {
-		// limit the number of digests to prevent DoS
-		if len(subject.Digest) > maxAllowedSubjectDigests {
-			return fmt.Errorf("too many digests: %d > %d", len(subject.Digest), maxAllowedSubjectDigests)
-		}
 		for alg, digest := range subject.Digest {
 			hexdigest, err := hex.DecodeString(digest)
 			if err != nil {
@@ -215,17 +211,11 @@ func verifyEnvelopeWithArtifactDigest(verifier signature.Verifier, envelope Enve
 	if err != nil {
 		return fmt.Errorf("could not verify artifact: unable to extract statement from envelope: %w", err)
 	}
-
-	// limit the number of subjects to prevent DoS
-	if len(statement.Subject) > maxAllowedSubjects {
-		return fmt.Errorf("too many subjects: %d > %d", len(statement.Subject), maxAllowedSubjects)
+	if err = limitSubjects(statement); err != nil {
+		return err
 	}
 
 	for _, subject := range statement.Subject {
-		// limit the number of digests to prevent DoS
-		if len(subject.Digest) > maxAllowedSubjectDigests {
-			return fmt.Errorf("too many digests: %d > %d", len(subject.Digest), maxAllowedSubjectDigests)
-		}
 		for alg, digest := range subject.Digest {
 			if alg == artifactDigestAlgorithm {
 				hexdigest, err := hex.DecodeString(digest)
@@ -265,3 +255,17 @@ func verifyMessageSignatureWithArtifactDigest(verifier signature.Verifier, msg M
 
 	return nil
 }
+
+// limitSubjects limits the number of subjects and digests in a statement to prevent DoS.
+func limitSubjects(statement *in_toto.Statement) error {
+	if len(statement.Subject) > maxAllowedSubjects {
+		return fmt.Errorf("too many subjects: %d > %d", len(statement.Subject), maxAllowedSubjects)
+	}
+	for _, subject := range statement.Subject {
+		// limit the number of digests too
+		if len(subject.Digest) > maxAllowedSubjectDigests {
+			return fmt.Errorf("too many digests: %d > %d", len(subject.Digest), maxAllowedSubjectDigests)
+		}
+	}
+	return nil
+}