feat(tvix/store/protos): validate NarSha256 r/6785

Change-Id: I016d1b020b04850f0dca68c2ea96643230dada10 Reviewed-on: https://cl.tvl.fyi/c/depot/+/9649 Reviewed-by: Brian McGee <brian@bmcgee.ie> Tested-by: BuildkiteCI
author: Florian Klink <flokli@flokli.de> 2023-10-11T11·08+0200
committer: flokli <flokli@flokli.de> 2023-10-11T15·29+0000
commit: 8ced43f3c79d61c91c88ad86b8f7b801b94d93f3 (patch)
tree: f94be36e433f392cd1a96d2de441c2800823ba67 /tvix/store/protos/pathinfo.go
parent: 6dab6081985dc0ccda0fcbcd45714ac122c229ef (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/tvix/store/protos/pathinfo.go b/tvix/store/protos/pathinfo.go
index 595a1b4fab..2c718c6245 100644
--- a/tvix/store/protos/pathinfo.go
+++ b/tvix/store/protos/pathinfo.go
@@ -2,6 +2,7 @@ package storev1
 
 import (
 	"bytes"
+	"crypto/sha256"
 	"encoding/base64"
 	"fmt"
 
@@ -20,6 +21,11 @@ func (p *PathInfo) Validate() (*storepath.StorePath, error) {
 
 	// If there's a Narinfo field populated..
 	if narInfo := p.GetNarinfo(); narInfo != nil {
+		// ensure the NarSha256 digest has the correct length.
+		if len(narInfo.GetNarSha256()) != sha256.Size {
+			return nil, fmt.Errorf("invalid number of bytes for NarSha256: expected %d, got %d", sha256.Size, len(narInfo.GetNarSha256()))
+		}
+
 		// ensure the number of references matches len(References).
 		if len(narInfo.GetReferenceNames()) != len(p.GetReferences()) {
 			return nil, fmt.Errorf("inconsistent number of references: %d (references) vs %d (narinfo)", len(narInfo.GetReferenceNames()), len(p.GetReferences()))
author	Florian Klink <flokli@flokli.de>	2023-10-11T11·08+0200
committer	flokli <flokli@flokli.de>	2023-10-11T15·29+0000
commit	8ced43f3c79d61c91c88ad86b8f7b801b94d93f3 (patch)
tree	f94be36e433f392cd1a96d2de441c2800823ba67 /tvix/store/protos/pathinfo.go
parent	6dab6081985dc0ccda0fcbcd45714ac122c229ef (diff)