diff options
| author | Florian Klink <flokli@flokli.de> | 2023-02-16T16·11+0100 |
|---|---|---|
| committer | flokli <flokli@flokli.de> | 2023-03-10T10·58+0000 |
| commit | ab02fc668c23a4f0f262dd889278f2fc36793f9e (patch) | |
| tree | 1be5ba5925644035439687827e4ddb57a64ea565 /tvix/store/src/nar | |
| parent | bc3f71838f76b9ec141e1012f49e2a24d067c3c8 (diff) | |
feat(tvix/store): validate blob size in NARRenderer r/5917
Make sure the blob size in the current proto node matches what we get back from the blob backend. Change-Id: I939fa18f37c7bc86ada8a495c7be622e69ec47f8 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8129 Tested-by: BuildkiteCI Reviewed-by: raitobezarius <tvl@lahfa.xyz>
Diffstat (limited to 'tvix/store/src/nar')
| -rw-r--r-- | tvix/store/src/nar/mod.rs | 3 | ||||
| -rw-r--r-- | tvix/store/src/nar/renderer.rs | 11 |
2 files changed, 14 insertions, 0 deletions
diff --git a/tvix/store/src/nar/mod.rs b/tvix/store/src/nar/mod.rs index d7d2cec4d803..a3a8677d92a6 100644 --- a/tvix/store/src/nar/mod.rs +++ b/tvix/store/src/nar/mod.rs @@ -17,6 +17,9 @@ pub enum RenderError { #[error("unable to find blob {}, referred from {}", BASE64.encode(.0), .1)] BlobNotFound(Vec<u8>, String), + #[error("unexpected size in metadata for blob {}, referred from {} returned, expected {}, got {}", BASE64.encode(.0), .1, .2, .3)] + UnexpectedBlobMeta(Vec<u8>, String, u32, u32), + #[error("failure using the NAR writer: {0}")] NARWriterError(std::io::Error), } diff --git a/tvix/store/src/nar/renderer.rs b/tvix/store/src/nar/renderer.rs index d8d9886b315d..94a392d36171 100644 --- a/tvix/store/src/nar/renderer.rs +++ b/tvix/store/src/nar/renderer.rs @@ -76,6 +76,17 @@ impl<BS: BlobService, CS: ChunkService + Clone, DS: DirectoryService> NARRendere return Err(RenderError::BlobNotFound(digest, proto_file_node.name)); } Some(blob_meta) => { + // make sure the blob_meta size matches what we expect from proto_file_node + let blob_meta_size = blob_meta.chunks.iter().fold(0, |acc, e| acc + e.size); + if blob_meta_size != proto_file_node.size { + return Err(RenderError::UnexpectedBlobMeta( + digest, + proto_file_node.name, + proto_file_node.size, + blob_meta_size, + )); + } + let mut blob_reader = std::io::BufReader::new(BlobReader::open( &self.chunk_service, blob_meta, |