[ws-manager] Limit max secret length

csweichel · roboquat · commit 04b9a640240d · 2022-07-06T19:22:53.000+05:30
to introduce a benign failure mode compared to the
Kubernetes provided message.
diff --git a/components/content-service-api/go/initializer.go b/components/content-service-api/go/initializer.go
@@ -86,6 +86,10 @@ func InjectSecretsToInitializer(init *WorkspaceInitializer, secrets map[string][
 
 // WalkInitializer walks the initializer structure
 func WalkInitializer(path []string, init *WorkspaceInitializer, visitor func(path []string, init *WorkspaceInitializer) error) error {
+	if init == nil {
+		return nil
+	}
+
 	switch spec := init.Spec.(type) {
 	case *WorkspaceInitializer_Backup:
 		return visitor(append(path, "backup"), init)
diff --git a/components/content-service-api/go/initializer_test.go b/components/content-service-api/go/initializer_test.go
@@ -100,6 +100,9 @@ func TestGetCheckoutLocationsFromInitializer(t *testing.T) {
 			},
 			Expectation: "/foo,/bar",
 		},
+		{
+			Name: "nil initializer",
+		},
 	}
 
 	for _, test := range tests {
diff --git a/components/ws-manager/pkg/manager/create.go b/components/ws-manager/pkg/manager/create.go
@@ -42,6 +42,13 @@ var (
 	boolTrue  = true
 )
 
+const (
+	// maxSecretsLength is the maximum number of bytes a workspace secret may contain. This size is exhausted by
+	// environment variables provided as part of the start workspace request.
+	// The value of 768kb is a somewhat arbitrary choice, but steers way clear of the 1MiB Kubernetes imposes.
+	maxSecretsLength = 768 * 1024 * 1024
+)
+
 // createWorkspacePod creates the actual workspace pod based on the definite workspace pod and appropriate
 // templates. The result of this function is not expected to be modified prior to being passed to Kubernetes.
 func (m *Manager) createWorkspacePod(startContext *startWorkspaceContext) (*corev1.Pod, error) {
@@ -962,7 +969,10 @@ func (m *Manager) newStartWorkspaceContext(ctx context.Context, req *api.StartWo
 		}
 	}
 
-	secrets := make(map[string]string)
+	var (
+		secrets    = make(map[string]string)
+		secretsLen int
+	)
 	for _, env := range req.Spec.Envvars {
 		if env.Secret != nil {
 			continue
@@ -973,9 +983,14 @@ func (m *Manager) newStartWorkspaceContext(ctx context.Context, req *api.StartWo
 
 		name := fmt.Sprintf("%x", sha256.Sum256([]byte(env.Name)))
 		secrets[name] = env.Value
+		secretsLen += len(env.Value)
 	}
 	for k, v := range csapi.ExtractSecretsFromInitializer(req.Spec.Initializer) {
 		secrets[k] = v
+		secretsLen += len(v)
+	}
+	if secretsLen > maxSecretsLength {
+		return nil, xerrors.Errorf("secrets exceed maximum permitted length (%d > %d bytes): please reduce the numer or length of environment variables", secretsLen, maxSecretsLength)
 	}
 
 	return &startWorkspaceContext{
diff --git a/components/ws-manager/pkg/manager/create_test.go b/components/ws-manager/pkg/manager/create_test.go
@@ -17,15 +17,67 @@ import (
 	"sigs.k8s.io/yaml"
 
 	ctesting "github.com/gitpod-io/gitpod/common-go/testing"
+	csapi "github.com/gitpod-io/gitpod/content-service/api"
 	"github.com/gitpod-io/gitpod/ws-manager/api"
 	config "github.com/gitpod-io/gitpod/ws-manager/api/config"
+	"github.com/google/go-cmp/cmp"
 )
 
 var (
 	team    = "awesome"
 	project = "gitpod"
 )
 
+func TestNewStartWorkspaceContext(t *testing.T) {
+	type Expectation struct {
+		Context *startWorkspaceContext
+		Error   string
+	}
+	tests := []struct {
+		Name        string
+		Req         *api.StartWorkspaceRequest
+		Expectation Expectation
+	}{
+		{
+			Name: "oversized secrets",
+			Req: &api.StartWorkspaceRequest{
+				Metadata: &api.WorkspaceMetadata{Owner: "foo"},
+				Spec: &api.StartWorkspaceSpec{
+					Initializer: &csapi.WorkspaceInitializer{
+						Spec: &csapi.WorkspaceInitializer_Empty{},
+					},
+					Envvars: []*api.EnvironmentVariable{
+						{Name: "too_large", Value: string(func() []byte { return make([]byte, 2*maxSecretsLength) }())},
+					},
+				},
+			},
+			Expectation: Expectation{
+				Error: "secrets exceed maximum permitted length (1610612736 > 805306368 bytes): please reduce the numer or length of environment variables",
+			},
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.Name, func(t *testing.T) {
+			mgmtCfg := forTestingOnlyManagerConfig()
+			manager := &Manager{Config: mgmtCfg}
+
+			sctx, err := manager.newStartWorkspaceContext(context.Background(), test.Req)
+
+			act := Expectation{
+				Context: sctx,
+			}
+			if err != nil {
+				act.Error = err.Error()
+			}
+
+			if diff := cmp.Diff(test.Expectation, act); diff != "" {
+				t.Errorf("unexpected newStartWorkspaceContext (-want +got):\n%s", diff)
+			}
+		})
+	}
+}
+
 func TestCreateDefiniteWorkspacePod(t *testing.T) {
 	type WorkspaceClass struct {
 		DefaultTemplate    *corev1.Pod                   `json:"defaultTemplate,omitempty"`

Original file line number	Diff line number	Diff line change
`@@ -100,6 +100,9 @@ func TestGetCheckoutLocationsFromInitializer(t *testing.T) {`
`100`	`100`	`},`
`101`	`101`	`Expectation: "/foo,/bar",`
`102`	`102`	`},`
	`103`	`+ {`
	`104`	`+ Name: "nil initializer",`
	`105`	`+ },`
`103`	`106`	`}`
`104`	`107`
`105`	`108`	`for _, test := range tests {`