Skip to content

context: cap TLS reads during zip import#7017

Open
VrtxOmega wants to merge 1 commit into
docker:masterfrom
VrtxOmega:6917-context-import-tls-size-limit
Open

context: cap TLS reads during zip import#7017
VrtxOmega wants to merge 1 commit into
docker:masterfrom
VrtxOmega:6917-context-import-tls-size-limit

Conversation

@VrtxOmega
Copy link
Copy Markdown

@VrtxOmega VrtxOmega commented May 31, 2026

- What I did

Applied the existing context-import decompressed read limit to TLS entries in zip context archives.

Fixes #6917

- How I did it

  • wrapped zip tls/ entry reads with limitedReader, matching meta.json
  • tightened limitedReader so it probes the underlying reader at the zero-remaining boundary and reports data beyond the limit
  • added regressions for oversized compressed TLS entries and the exact limit-plus-one reader boundary

- How to verify it

GO111MODULE=auto GOPATH=<temp-gopath> go test github.com/docker/cli/cli/context/store -run 'TestImportZipRejectsOversizedTLSFile|TestLimitReaderReadAll' -count=1
GO111MODULE=auto GOPATH=<temp-gopath> go test github.com/docker/cli/cli/context/store -count=1
GO111MODULE=auto GOPATH=<temp-gopath> go test github.com/docker/cli/cli/context/store github.com/docker/cli/cli/command/context -count=1
git diff --check

- Human readable description for the release notes

`docker context import` now enforces the decompressed size limit for TLS material in zip archives.

@VrtxOmega
context: cap TLS reads during zip import
9a44366 
Signed-off-by: Rage Lopez <VrtxOmega@pm.me>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

docker context import TLS Entry Handling results in OOM

1 participant

@VrtxOmega