From b075490db5dd3181952c35981c564fb41c86a525 Mon Sep 17 00:00:00 2001 From: hannahhoward Date: Fri, 8 Dec 2023 14:42:30 -0800 Subject: [PATCH 1/4] fix(gateway): bound negative indexes to size of file when using entity-bytes with a file and a negative start range, insure that ranges more negative than the file's length are bounded at zero --- gateway/blocks_backend.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/gateway/blocks_backend.go b/gateway/blocks_backend.go index fe188ae71..fcb34fc23 100644 --- a/gateway/blocks_backend.go +++ b/gateway/blocks_backend.go @@ -508,6 +508,9 @@ func walkGatewaySimpleSelector(ctx context.Context, p path.ImmutablePath, params return err } from = fileLength + entityRange.From + if from < 0 { + from = 0 + } foundFileLength = true } From 32424782ae56e8ccdff7e454a2da4067329d008c Mon Sep 17 00:00:00 2001 From: hannahhoward Date: Fri, 8 Dec 2023 14:46:08 -0800 Subject: [PATCH 2/4] docs(CHANGELOG): record bug fix --- CHANGELOG.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 12ad5df7e..68f3a05c5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,6 +23,11 @@ The following emojis are used to highlight certain changes: ### Removed +### Fixed + +* `boxo/gateway` + * when making a trustless CAR request with the "entity-bytes" parameter, using a negative index greater than the underlying entity length could trigger reading more data than intended + ### Security ## [v0.17.0] From c3931cfaf4b36ec0e5def1499177a2b3c3bf6478 Mon Sep 17 00:00:00 2001 From: Marcin Rataj Date: Wed, 24 Jan 2024 03:01:18 +0100 Subject: [PATCH 3/4] fix: adjust negative to when from is negative too --- gateway/blocks_backend.go | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/gateway/blocks_backend.go b/gateway/blocks_backend.go index fcb34fc23..d85c2846b 100644 --- a/gateway/blocks_backend.go +++ b/gateway/blocks_backend.go @@ -524,13 +524,15 @@ func walkGatewaySimpleSelector(ctx context.Context, p path.ImmutablePath, params } to := *entityRange.To - if (*entityRange.To) < 0 && !foundFileLength { - fileLength, err = f.Seek(0, io.SeekEnd) - if err != nil { - return err + if (*entityRange.To) < 0 { + if !foundFileLength { + fileLength, err = f.Seek(0, io.SeekEnd) + if err != nil { + return err + } + foundFileLength = true } to = fileLength + *entityRange.To - foundFileLength = true } numToRead := 1 + to - from From 22331dc8be49c9c4ef2108378fc1042fd6cef770 Mon Sep 17 00:00:00 2001 From: Marcin Rataj Date: Thu, 25 Jan 2024 17:43:48 +0100 Subject: [PATCH 4/4] chore: gateway-conformance@v0.5 https://github.com/ipfs/gateway-conformance/releases/tag/v0.5.0 --- .github/workflows/gateway-conformance.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/gateway-conformance.yml b/.github/workflows/gateway-conformance.yml index f45e9aedf..c9c3eb072 100644 --- a/.github/workflows/gateway-conformance.yml +++ b/.github/workflows/gateway-conformance.yml @@ -16,18 +16,18 @@ jobs: steps: # 1. Download the gateway-conformance fixtures - name: Download gateway-conformance fixtures - uses: ipfs/gateway-conformance/.github/actions/extract-fixtures@v0.4 + uses: ipfs/gateway-conformance/.github/actions/extract-fixtures@v0.5 with: output: fixtures merged: true # 2. Build the car-gateway - name: Setup Go - uses: actions/setup-go@v3 + uses: actions/setup-go@v4 with: go-version: 1.21.x - name: Checkout boxo - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: path: boxo - name: Build car-gateway @@ -40,7 +40,7 @@ jobs: # 4. Run the gateway-conformance tests - name: Run gateway-conformance tests - uses: ipfs/gateway-conformance/.github/actions/test@v0.4 + uses: ipfs/gateway-conformance/.github/actions/test@v0.5 with: gateway-url: http://127.0.0.1:8040 json: output.json