8000 Consider exposing a max response buffer size · Issue #203 · oras-project/oras-dotnet · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Consider exposing a max response buffer size #203

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
1 task
akashsinghal opened this issue Apr 14, 2025 · 1 comment
Open
1 task

Consider exposing a max response buffer size #203

akashsinghal opened this issue Apr 14, 2025 · 1 comment
Labels
enhancement New feature or request

Comments

@akashsinghal
Copy link

What is the version or commit of the ORAS .NET library?

No response

What would you like to be added?

It seems the ORAS dotnet ManifestStore operations utilize the HttpResponse.Content.ReadAsStreamAsync for loading response body content into a stream. This can be potentially unsafe as the underlying MemoryStream buffer size is by default set to be the Int.MaxSize which comes to be ~2gb. This can lead to potential memory exhaustion if the upstream server is malicious and reports an incorrect Content-Length in the headers. There should be a check to enforce a max size (maybe 4mb) and have this be overridable.

oras-dotnet/src/OrasProject.Oras/Registry/Remote/ManifestStore.cs

Line 69 in b036aa4

return await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);

Taking a look at the source code for ReadAsStreamAsync,
https://github.com/dotnet/runtime/blob/5535e31a712343a63f5d7d796cd874e563e5ac14/src/libraries/System.Net.Http/src/System/Net/Http/HttpContent.cs#L286
you can see that if the content has not been loaded before into a temporary buffer, a new buffer is created with the size MaxSizeBytes
https://github.com/dotnet/runtime/blob/5535e31a712343a63f5d7d796cd874e563e5ac14/src/libraries/System.Net.Http/src/System/Net/Http/HttpContent.cs#L550

Why is this needed for the ORAS .NET library?

Protect clients from large responses.

Are you willing to submit PRs to contribute to this feature?

  • Yes, I am willing to implement it.
@akashsinghal akashsinghal added enhancement New feature or request triage New issues or PRs to be acknowledged by maintainers labels Apr 14, 2025
@Wwwsylvia
Copy link
Member

With the new auth client introduced in #200, Repository now replies on an IClient interface and accepts customized HTTP clients.
Users can configure the MaxResponseContentBufferSize property on their HttpClient and pass the client to ORAS.

Additionally, we will have another feature #167 to limit the max size of response body buffered for internal processing.

@Wwwsylvia Wwwsylvia removed the triage New issues or PRs to be acknowledged by maintainers label May 22, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Wwwsylvia @akashsinghal
0