Limit the memory allocation when parsing ber encoded components in the LiteralSubject field

[wallrj]

The go-ldap and asn-ber libraries both limit the message length in their fuzz tests because the default limit is 2GiB which crashes their test runners:

• https://github.com/go-ldap/ldap/blob/25b14db0ff3f3c0e927771e4441cdf61400367fd/fuzz_test.go#L13-L21
• https://github.com/go-asn1-ber/asn1-ber/blob/master/fuzz_test.go#L33C1-L37

We can set the same limit before invoking ParseDN to avoid 2GiB memory being accidentally or maliciously allocated in the webhook component every time a LiteralSubject field value gets parsed.

I prefer this small change to the proposed re-implementation of ParseDN in #6761 because it allows us to continue using go-ldap library which I predict will do a better job than us of parsing these Subject strings which are compatible with a wide range of LDAP systems.

xref:

• Stop using github.com/go-ldap/ldap/v3 ParseDN and use a custom ParseDN function instead #6761
• Fix a memory bug in ldap's ParseDN function by disabling part of the functionality #6770
• Memory leak in ParseDN go-ldap/ldap#487

/kind bug

Mitigate a potential DoS against the webhook component, by limiting the maximum length of `ber` encoded literal subject field to 64KiB. Only affects those using the LiteralSubject feature.

[wallrj]

/retest

[inteon]

@wallrj did you fuzz test this approach?

[wallrj]

@wallrj did you fuzz test this approach?

I have not. It's a good idea though...I'm just not too familiar with the process. I see that @AdamKorcz added cert-manager project to the Google oss-fuzz project so perhaps there's a way to trigger that system for every PR?

• cert-manager: initial integration google/oss-fuzz#11261

I did link to the fuzz tests in the go-ldap and go-asn1-ber libraries in the PR description.

[jetstack-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from wallrj. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jetstack-bot]

@wallrj: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-cert-manager-release-1.14-e2e-v1-29-upgrade	3d7ffdf	link	true	/test pull-cert-manager-release-1.14-e2e-v1-29-upgrade

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[jetstack-bot]

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[inteon]

This will be fixed by go-asn1-ber/asn1-ber#42

[inteon]

Fixed in the PRs listed in #7030.