Limit size of manifest (#1711)

Signed-off-by: AdamKorcz <adam@adalogics.com>

pkg/v1/remote/fetcher.go

@@ -32,6 +32,12 @@ import (
 	"github.com/google/go-containerregistry/pkg/v1/types"
 )
 
+const (
+	kib           = 1024
+	mib           = 1024 * kib
+	manifestLimit = 100 * mib
+)
+
 // fetcher implements methods for reading from a registry.
 type fetcher struct {
 	target resource
@@ -130,7 +136,7 @@ func (f *fetcher) fetchManifest(ctx context.Context, ref name.Reference, accepta
 		return nil, nil, err
 	}
 
-	manifest, err := io.ReadAll(resp.Body)
+	manifest, err := io.ReadAll(io.LimitReader(resp.Body, manifestLimit))
 	if err != nil {
 		return nil, nil, err
 	}