about summary refs log tree commit diff
path: root/tvix
diff options
context:
space:
mode:
Diffstat (limited to 'tvix')
-rw-r--r--tvix/store/protos/pathinfo.go6
-rw-r--r--tvix/store/protos/pathinfo_test.go12
2 files changed, 17 insertions, 1 deletions
diff --git a/tvix/store/protos/pathinfo.go b/tvix/store/protos/pathinfo.go
index 595a1b4fab..2c718c6245 100644
--- a/tvix/store/protos/pathinfo.go
+++ b/tvix/store/protos/pathinfo.go
@@ -2,6 +2,7 @@ package storev1
 
 import (
 	"bytes"
+	"crypto/sha256"
 	"encoding/base64"
 	"fmt"
 
@@ -20,6 +21,11 @@ func (p *PathInfo) Validate() (*storepath.StorePath, error) {
 
 	// If there's a Narinfo field populated..
 	if narInfo := p.GetNarinfo(); narInfo != nil {
+		// ensure the NarSha256 digest has the correct length.
+		if len(narInfo.GetNarSha256()) != sha256.Size {
+			return nil, fmt.Errorf("invalid number of bytes for NarSha256: expected %d, got %d", sha256.Size, len(narInfo.GetNarSha256()))
+		}
+
 		// ensure the number of references matches len(References).
 		if len(narInfo.GetReferenceNames()) != len(p.GetReferences()) {
 			return nil, fmt.Errorf("inconsistent number of references: %d (references) vs %d (narinfo)", len(narInfo.GetReferenceNames()), len(p.GetReferences()))
diff --git a/tvix/store/protos/pathinfo_test.go b/tvix/store/protos/pathinfo_test.go
index adac30a97f..74af50e569 100644
--- a/tvix/store/protos/pathinfo_test.go
+++ b/tvix/store/protos/pathinfo_test.go
@@ -34,7 +34,7 @@ func genPathInfoSymlink() *storev1pb.PathInfo {
 		References: [][]byte{exampleStorePathDigest},
 		Narinfo: &storev1pb.NARInfo{
 			NarSize:        0,
-			NarSha256:      []byte{},
+			NarSha256:      []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
 			Signatures:     []*storev1pb.NARInfo_Signature{},
 			ReferenceNames: []string{EXAMPLE_STORE_PATH},
 		},
@@ -61,6 +61,16 @@ func TestValidate(t *testing.T) {
 		assert.Equal(t, "00000000000000000000000000000000-dummy", storePath.String())
 	})
 
+	t.Run("invalid nar_sha256", func(t *testing.T) {
+		pi := genPathInfoSymlink()
+
+		// create broken references, where the reference digest is wrong
+		pi.Narinfo.NarSha256 = []byte{0xbe, 0xef}
+
+		_, err := pi.Validate()
+		assert.Error(t, err, "must not validate")
+	})
+
 	t.Run("invalid reference digest", func(t *testing.T) {
 		pi := genPathInfoSymlink()
generated by cgit-pink 1.4.1 (git 2.44.2) at 2024-07-05T21ยท57+0000