oci: cas: use blob file size as ExpectedSize

In a future patch, ExpectedSize < 0 will no longer be supported by
VerifiedReadCloser.

However, this also gives us an opportunity to add a bit of extra
hardening here -- if an attacker can write blobs to our store then they
could in theory trigger a DoS by constantly writing more bytes (or
expanding a zero section of a sparse file) if we do not have some hard
limit. The current file size is as good a limit as any (and is going to
be correct in all reasonable cases).

This also lets us avoid double-hashing blobs in the common case where
the blob size is correct (because then the VerifiedReadCloser returned
by GetVerifiedBlob() will be a no-op).

Signed-off-by: Aleksa Sarai <[email protected]>

Author: cyphar

oci/cas/dir/dir.go

@@ -244,10 +244,17 @@ func (e *dirEngine) GetBlob(_ context.Context, digest digest.Digest) (io.ReadClo
 	if err != nil {
 		return nil, fmt.Errorf("open blob: %w", err)
 	}
+	st, err := fh.Stat()
+	if err != nil {
+		return nil, fmt.Errorf("stat blob: %w", err)
+	}
 	return &hardening.VerifiedReadCloser{
 		Reader:         fh,
 		ExpectedDigest: digest,
-		ExpectedSize:   int64(-1), // We don't know the expected size.
+		// Assume the file size is the blob size. This is almost certainly true
+		// in general, and if an attacker is modifying the blobs underneath us
+		// then snapshotting the size makes sure we don't read endlessly.
+		ExpectedSize: st.Size(),
 	}, nil
 }