fix: limit the plugin output size

[JeyJeyGao]

Fix:

• set the plugin output limit for STDOUT and STDERR to be 10MiB

Test:

• when the plugin output size exceeds 10MiB, the output pipe breaks, and the plugin process outputs an error to STDERR

Spec changes: notaryproject/specifications#320
Resolves #187

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 80.47%. Comparing base (57c5e0d) to head (8d6e3cc).

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #484      +/-   ##
==========================================
+ Coverage   80.39%   80.47%   +0.08%     
==========================================
  Files          34       35       +1     
  Lines        3330     3344      +14     
==========================================
+ Hits         2677     2691      +14     
  Misses        508      508              
  Partials      145      145              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[Two-Hearts]

I actually have a couple of questions regarding this PR and the issue #187 itself:

1. We are essentially limiting the behavior of a plugin due to a certain extent of untrust. Do we need to reflect this in the Notary project spec? (such as, where does the 10MiB comes from?)
2. What security concern do we have if the plugin output size is larger than 10 MiB? According to Notation threat model: https://github.com/notaryproject/specifications/blob/main/threatmodels/notation-threatmodel.md, plugins are inside the trust boundary. If we do not trust the plugin's output, how do we interpret the trust boundary then?

[JeyJeyGao]

I actually have a couple of questions regarding this PR and the issue #187 itself:

1. We are essentially limiting the behavior of a plugin due to a certain extent of untrust. Do we need to reflect this in the Notary project spec? (such as, where does the 10MiB comes from?)
2. What security concern do we have if the plugin output size is larger than 10 MiB? According to Notation threat model: https://github.com/notaryproject/specifications/blob/main/threatmodels/notation-threatmodel.md, plugins are inside the trust boundary. If we do not trust the plugin's output, how do we interpret the trust boundary then?

1. The limit has been updated to 64 MiB, which is almost impossible to be reached by a normal plugin. The limitation depends on the implementation; different implementations may have different concerns that lead to different limitation decisions. The limitation is more like a notation-specific setting rather than a specification requirement. If we need to update the specification, we can mention that the plugin output may have size limitations depending on the implementation.
2. We don’t have security concerns regarding this issue. The goal is to improve system reliability when a plugin has a bug or generates unexpected output. Notation-go can generate proper logs without killing the process directly, ensuring proper handling.

[Two-Hearts]

1. The limit has been updated to 64 MiB, which is almost impossible to be reached by a normal plugin. The limitation depends on the implementation; different implementations may have different concerns that lead to different limitation decisions. The limitation is more like a notation-specific setting rather than a specification requirement. If we need to update the specification, we can mention that the plugin output may have size limitations depending on the implementation.

Note: any extra restriction on the plugin without reflecting in the spec may lead to potential breaking changes for Notation. It's not about the number, whether it's 10 or 64. It's about best practice. The reason is simple, plugin builders follow the spec: https://github.com/notaryproject/specifications/blob/main/specs/plugin-extensibility.md to build their plugins. Any extra restriction that's not in that spec can be a hidden rule and unexpected.

2. We don’t have security concerns regarding this issue. The goal is to improve system reliability when a plugin has a bug or generates unexpected output. Notation-go can generate proper logs without killing the process directly, ensuring proper handling.

If we indeed do not have any security concern regarding this issue, then we should leave the control to plugin authors and users. If a plugin has a bug, its usage should be dropped until the bug is fixed right? I don't think this is in Notation's scope, just like we do not censor the output content of a plugin.

[JeyJeyGao]

1. The limit has been updated to 64 MiB, which is almost impossible to be reached by a normal plugin. The limitation depends on the implementation; different implementations may have different concerns that lead to different limitation decisions. The limitation is more like a notation-specific setting rather than a specification requirement. If we need to update the specification, we can mention that the plugin output may have size limitations depending on the implementation.

Note: any extra restriction on the plugin without reflecting in the spec may lead to potential breaking changes for Notation. It's not about the number, whether it's 10 or 64. It's about best practice. The reason is simple, plugin builders follow the spec: https://github.com/notaryproject/specifications/blob/main/specs/plugin-extensibility.md to build their plugins. Any extra restriction that's not in that spec can be a hidden rule and unexpected.

2. We don’t have security concerns regarding this issue. The goal is to improve system reliability when a plugin has a bug or generates unexpected output. Notation-go can generate proper logs without killing the process directly, ensuring proper handling.

If we indeed do not have any security concern regarding this issue, then we should leave the control to plugin authors and users. If a plugin has a bug, its usage should be dropped until the bug is fixed right? I don't think this is in Notation's scope, just like we do not censor the output content of a plugin.

As per our online discussion, I created a corresponding Spec PR: notaryproject/specifications#320

[shizhMSFT]

LGTM with suggestions

[Two-Hearts]

LGTM

[shizhMSFT]

LGTM

[Two-Hearts]

LGTM

[Two-Hearts]

@JeyJeyGao Please sign all the commits.