Skip to content

Commit

Permalink
fix(gw): entity-bytes with negative indexes beyond file size (ipfs#523)
Browse files Browse the repository at this point in the history
* fix(gateway): bound negative indexes to size of file
* fix: adjust negative to when from is negative too
* chore: gateway-conformance@v0.5

https://github.com/ipfs/gateway-conformance/releases/tag/v0.5.0

---------

Co-authored-by: Marcin Rataj <lidel@lidel.org>
  • Loading branch information
2 people authored and wenyue committed Oct 17, 2024
1 parent 9e2e918 commit e0d58c5
Show file tree
Hide file tree
Showing 3 changed files with 18 additions and 10 deletions.
8 changes: 4 additions & 4 deletions .github/workflows/gateway-conformance.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,18 +16,18 @@ jobs:
steps:
# 1. Download the gateway-conformance fixtures
- name: Download gateway-conformance fixtures
uses: ipfs/gateway-conformance/.github/actions/extract-fixtures@v0.4
uses: ipfs/gateway-conformance/.github/actions/extract-fixtures@v0.5
with:
output: fixtures
merged: true

# 2. Build the car-gateway
- name: Setup Go
uses: actions/setup-go@v3
uses: actions/setup-go@v4
with:
go-version: 1.21.x
- name: Checkout boxo
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
path: boxo
- name: Build car-gateway
Expand All @@ -40,7 +40,7 @@ jobs:

# 4. Run the gateway-conformance tests
- name: Run gateway-conformance tests
uses: ipfs/gateway-conformance/.github/actions/test@v0.4
uses: ipfs/gateway-conformance/.github/actions/test@v0.5
with:
gateway-url: http://127.0.0.1:8040
json: output.json
Expand Down
5 changes: 4 additions & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,10 @@ The following emojis are used to highlight certain changes:

### Removed

- 🛠 `gateway`: the header configuration `Config.Headers` and `AddAccessControlHeaders` has been replaced by the new middleware provided by `NewHeaders`.
### Fixed

- 🛠 `boxo/gateway`: when making a trustless CAR request with the "entity-bytes" parameter, using a negative index greater than the underlying entity length could trigger reading more data than intended
- 🛠 `boxo/gateway`: the header configuration `Config.Headers` and `AddAccessControlHeaders` has been replaced by the new middleware provided by `NewHeaders`.

### Security

Expand Down
15 changes: 10 additions & 5 deletions gateway/blocks_backend.go
Original file line number Diff line number Diff line change
Expand Up @@ -508,6 +508,9 @@ func walkGatewaySimpleSelector(ctx context.Context, p path.ImmutablePath, params
return err
}
from = fileLength + entityRange.From
if from < 0 {
from = 0
}
foundFileLength = true
}

Expand All @@ -521,13 +524,15 @@ func walkGatewaySimpleSelector(ctx context.Context, p path.ImmutablePath, params
}

to := *entityRange.To
if (*entityRange.To) < 0 && !foundFileLength {
fileLength, err = f.Seek(0, io.SeekEnd)
if err != nil {
return err
if (*entityRange.To) < 0 {
if !foundFileLength {
fileLength, err = f.Seek(0, io.SeekEnd)
if err != nil {
return err
}
foundFileLength = true
}
to = fileLength + *entityRange.To
foundFileLength = true
}

numToRead := 1 + to - from
Expand Down

0 comments on commit e0d58c5

Please sign in to comment.