From bf34cd0777d8813def8a5fc3312b7287501df9a7 Mon Sep 17 00:00:00 2001 From: Hannah Howard Date: Thu, 25 Jan 2024 09:34:42 -0800 Subject: [PATCH] fix(gw): entity-bytes with negative indexes beyond file size (#523) * fix(gateway): bound negative indexes to size of file * fix: adjust negative to when from is negative too * chore: gateway-conformance@v0.5 https://github.com/ipfs/gateway-conformance/releases/tag/v0.5.0 --------- Co-authored-by: Marcin Rataj --- .github/workflows/gateway-conformance.yml | 8 ++++---- CHANGELOG.md | 5 ++++- gateway/blocks_backend.go | 15 ++++++++++----- 3 files changed, 18 insertions(+), 10 deletions(-) diff --git a/.github/workflows/gateway-conformance.yml b/.github/workflows/gateway-conformance.yml index f45e9aedf..c9c3eb072 100644 --- a/.github/workflows/gateway-conformance.yml +++ b/.github/workflows/gateway-conformance.yml @@ -16,18 +16,18 @@ jobs: steps: # 1. Download the gateway-conformance fixtures - name: Download gateway-conformance fixtures - uses: ipfs/gateway-conformance/.github/actions/extract-fixtures@v0.4 + uses: ipfs/gateway-conformance/.github/actions/extract-fixtures@v0.5 with: output: fixtures merged: true # 2. Build the car-gateway - name: Setup Go - uses: actions/setup-go@v3 + uses: actions/setup-go@v4 with: go-version: 1.21.x - name: Checkout boxo - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: path: boxo - name: Build car-gateway @@ -40,7 +40,7 @@ jobs: # 4. Run the gateway-conformance tests - name: Run gateway-conformance tests - uses: ipfs/gateway-conformance/.github/actions/test@v0.4 + uses: ipfs/gateway-conformance/.github/actions/test@v0.5 with: gateway-url: http://127.0.0.1:8040 json: output.json diff --git a/CHANGELOG.md b/CHANGELOG.md index 4b16d4865..773cd1807 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -24,7 +24,10 @@ The following emojis are used to highlight certain changes: ### Removed -- 🛠 `gateway`: the header configuration `Config.Headers` and `AddAccessControlHeaders` has been replaced by the new middleware provided by `NewHeaders`. +### Fixed + +- 🛠 `boxo/gateway`: when making a trustless CAR request with the "entity-bytes" parameter, using a negative index greater than the underlying entity length could trigger reading more data than intended +- 🛠 `boxo/gateway`: the header configuration `Config.Headers` and `AddAccessControlHeaders` has been replaced by the new middleware provided by `NewHeaders`. ### Security diff --git a/gateway/blocks_backend.go b/gateway/blocks_backend.go index fe188ae71..d85c2846b 100644 --- a/gateway/blocks_backend.go +++ b/gateway/blocks_backend.go @@ -508,6 +508,9 @@ func walkGatewaySimpleSelector(ctx context.Context, p path.ImmutablePath, params return err } from = fileLength + entityRange.From + if from < 0 { + from = 0 + } foundFileLength = true } @@ -521,13 +524,15 @@ func walkGatewaySimpleSelector(ctx context.Context, p path.ImmutablePath, params } to := *entityRange.To - if (*entityRange.To) < 0 && !foundFileLength { - fileLength, err = f.Seek(0, io.SeekEnd) - if err != nil { - return err + if (*entityRange.To) < 0 { + if !foundFileLength { + fileLength, err = f.Seek(0, io.SeekEnd) + if err != nil { + return err + } + foundFileLength = true } to = fileLength + *entityRange.To - foundFileLength = true } numToRead := 1 + to - from