Skip to content

Validate downloaded plugin binary size#2941

Merged
cipherboy merged 3 commits into
openbao:mainfrom
cipherboy:fix-plugin-reads
Apr 20, 2026
Merged

Validate downloaded plugin binary size#2941
cipherboy merged 3 commits into
openbao:mainfrom
cipherboy:fix-plugin-reads

Conversation

@cipherboy

@cipherboy cipherboy commented Apr 20, 2026

Copy link
Copy Markdown
Member

To protect against a malicious plugin OCI image. This patch introcudes a new config setting plugin_download_max_size that controlls the maximum allowed plugin binary size (Default 512 MiB). We now check the reported plugin size in the Tar Header of the extracted OCI image against that limit and fail if it is exceeded. For good measure we also now check if there's enough disk space left to extract the plugin before we try to do so and if the amount of bytes we copied matched what was reported in the Tar Header.

Description

Rationale

Resolves: #

Acknowledgements

  • By contributing this change, I certify I have not used generative AI
    (GitHub Copilot, Cursor, Claude Code, &c) in authoring these changes or
    filling out the pull request description or associated issue.
  • By contributing this change, I certify I have signed-off on the
    DCO ownership statement
    and this change did not use post-BUSL-licensed code from HashiCorp.
    Existing MPL-licensed code is still allowed, subject to attribution.
    Code authored by yourself and submitted to HashiCorp for inclusion is
    also allowed.

JanMa and others added 2 commits April 20, 2026 12:40
@JanMa @cipherboy
validate downloaded plugin binary size
338e6a2 
To protect against a malicious plugin OCI image. This patch introcudes a
new config setting `plugin_download_max_size` that controlls the maximum allowed
plugin binary size (Default 512 MiB). We now check the reported plugin
size in the Tar Header of the extracted OCI image against that limit and
fail if it is exceeded. For good measure we also now check if there's
enough disk space left to extract the plugin before we try to do so and
if the amount of bytes we copied matched what was reported in the Tar
Header.

Signed-off-by: Jan Martens <jan@martens.eu.org>
@JanMa @wslabosz-reply @cipherboy
Update website/content/docs/configuration/plugins.mdx
f9337cc 
Co-authored-by: Wojciech Slabosz <wojciech.slabosz@sap.com>
Signed-off-by: Jan Martens <44572196+JanMa@users.noreply.github.com>
@cipherboy cipherboy added this to the v2.6.0 - Beta milestone Apr 20, 2026
@cipherboy cipherboy requested review from a team as code owners April 20, 2026 17:41
@cipherboy cipherboy added bug Something isn't working needs-backport Needs backport to release branch core/plugin Related to the plugin subsystem backport-2.5.x labels Apr 20, 2026
@cipherboy
Add changelog entry
6b183b2 
Signed-off-by: Alexander Scheel <alex.scheel@control-plane.io>
@cipherboy cipherboy requested review from a team as code owners April 20, 2026 17:42
@cipherboy cipherboy merged commit 2b2a901 into openbao:main Apr 20, 2026
51 of 52 checks passed
@cipherboy

cipherboy commented Apr 20, 2026

Copy link
Copy Markdown
Member Author

Thank you @JanMa for patch development!

@satoqz satoqz mentioned this pull request Apr 20, 2026
Merged
2 tasks
@satoqz satoqz removed the needs-backport Needs backport to release branch label Apr 20, 2026
satoqz added a commit that referenced this pull request Apr 20, 2026
@satoqz @cipherboy
@JanMa @wslabosz-reply
Validate downloaded plugin binary size (#2941) (#2944)
af576af 
To protect against a malicious plugin OCI image. This patch introcudes a
new config setting `plugin_download_max_size` that controlls the maximum allowed
plugin binary size (Default 512 MiB). We now check the reported plugin
size in the Tar Header of the extracted OCI image against that limit and
fail if it is exceeded. For good measure we also now check if there's
enough disk space left to extract the plugin before we try to do so and
if the amount of bytes we copied matched what was reported in the Tar
Header.

Signed-off-by: Jan Martens <jan@martens.eu.org>
Signed-off-by: Jan Martens <44572196+JanMa@users.noreply.github.com>
Signed-off-by: Alexander Scheel <alex.scheel@control-plane.io>
Co-authored-by: Alexander Scheel <alex.scheel@control-plane.io>
Co-authored-by: Jan Martens <jan@martens.eu.org>
Co-authored-by: Jan Martens <44572196+JanMa@users.noreply.github.com>
Co-authored-by: Wojciech Slabosz <wojciech.slabosz@sap.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@satoqz satoqz satoqz approved these changes

@JanMa JanMa JanMa approved these changes

Assignees

No one assigned

Labels

backport-2.5.x bug Something isn't working core/plugin Related to the plugin subsystem

Projects

None yet

Milestone

v2.6.0 - Beta

Development

Successfully merging this pull request may close these issues.

3 participants

@cipherboy @satoqz @JanMa