Merged PR 32989: [release/6.0] limit AIA download size

Tomas Weinfurt · carlossanlop · commit ad40cc35b59e · 2023-08-15T21:49:00.000Z
This prevents using unlimited resources from evil sources. I originally wanted to split limits and have them separately for certificates, OCSP and CRLs. However, the HttpClient.MaxResponseContentBufferSize can be set only once so I decided to keep it simple for servicing. We could split the HttpClient and have one for small and one for large downloads. Or alternatively we can handle the body directly. But it is going to be unpleseant with the reflection and sync & async flavors. port of https://dev.azure.com/dnceng/internal/_git/dotnet-runtime/pullrequest/32920
diff --git a/src/libraries/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.Unix/CertificateAssetDownloader.cs b/src/libraries/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.Unix/CertificateAssetDownloader.cs
@@ -15,6 +15,9 @@ namespace Internal.Cryptography.Pal
 {
     internal static class CertificateAssetDownloader
     {
+        private const long DefaultAiaDownloadLimit = 100 * 1024 * 1024;
+
+        private static long AiaDownloadLimit { get; } = GetValue("System.Security.Cryptography.AiaDownloadLimit", DefaultAiaDownloadLimit);
         private static readonly Func<string, CancellationToken, byte[]?>? s_downloadBytes = CreateDownloadBytesFunc();
 
         internal static X509Certificate2? DownloadCertificate(string uri, TimeSpan downloadTimeout)
@@ -161,6 +164,7 @@ internal static class CertificateAssetDownloader
                 PropertyInfo? requestUriProp = httpRequestMessageType.GetProperty("RequestUri");
                 ConstructorInfo? httpRequestMessageCtor = httpRequestMessageType.GetConstructor(Type.EmptyTypes);
                 MethodInfo? sendMethod = httpClientType.GetMethod("Send", new Type[] { httpRequestMessageType, typeof(CancellationToken) });
+                PropertyInfo? maxResponseContentBufferSizeProp = httpClientType.GetProperty("MaxResponseContentBufferSize");
                 PropertyInfo? responseContentProp = httpResponseMessageType.GetProperty("Content");
                 PropertyInfo? responseStatusCodeProp = httpResponseMessageType.GetProperty("StatusCode");
                 PropertyInfo? responseHeadersProp = httpResponseMessageType.GetProperty("Headers");
@@ -169,7 +173,7 @@ internal static class CertificateAssetDownloader
 
                 if (socketsHttpHandlerCtor == null || pooledConnectionIdleTimeoutProp == null || allowAutoRedirectProp == null || httpClientCtor == null ||
                     requestUriProp == null || httpRequestMessageCtor == null || sendMethod == null || responseContentProp == null || responseStatusCodeProp == null ||
-                    responseHeadersProp == null || responseHeadersLocationProp == null || readAsStreamMethod == null)
+                    responseHeadersProp == null || responseHeadersLocationProp == null || readAsStreamMethod == null || maxResponseContentBufferSizeProp == null)
                 {
                     Debug.Fail("Unable to load required member.");
                     return null;
@@ -190,6 +194,7 @@ internal static class CertificateAssetDownloader
                 pooledConnectionIdleTimeoutProp.SetValue(socketsHttpHandler, TimeSpan.FromSeconds(PooledConnectionIdleTimeoutSeconds));
                 allowAutoRedirectProp.SetValue(socketsHttpHandler, false);
                 object? httpClient = httpClientCtor.Invoke(new object?[] { socketsHttpHandler });
+                maxResponseContentBufferSizeProp.SetValue(httpClient, AiaDownloadLimit);
 
                 return (string uriString, CancellationToken cancellationToken) =>
                 {
@@ -313,5 +318,24 @@ private static bool IsAllowedScheme(string scheme)
         {
             return string.Equals(scheme, "http", StringComparison.OrdinalIgnoreCase);
         }
+
+        private static long GetValue(string name, long defaultValue)
+        {
+            object? data = AppContext.GetData(name);
+
+            if (data is null)
+            {
+                return defaultValue;
+            }
+
+            try
+            {
+                return Convert.ToInt64(data);
+            }
+            catch
+            {
+                return defaultValue;
+            }
+        }
     }
 }
