Function [identity.extractIssuerURL](https://github.com/sigstore/fulcio/blob/main/pkg/identity/issuerpool.go#L44-L45) currently splits (via a call to [strings.Split](https://pkg.go.dev/strings#Split)) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request with an (invalid) OIDC identity token in the payload containing many period characters, a call to `extractIssuerURL` incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: [CWE-405: Asymmetric R…
GHSA-f83f-xpx7-ffpw: Fulcio allocates excessive memory during token parsing
Fulcio's identity.extractIssuerURL function has a memory allocation vulnerability (GHSA-f83f-xpx7-ffpw) that can be exploited via malicious OIDC identity tokens with excessive periods.