From 8ced43f3c79d61c91c88ad86b8f7b801b94d93f3 Mon Sep 17 00:00:00 2001
From: Florian Klink <flokli@flokli.de>
Date: Wed, 11 Oct 2023 13:08:29 +0200
Subject: feat(tvix/store/protos): validate NarSha256

Change-Id: I016d1b020b04850f0dca68c2ea96643230dada10
Reviewed-on: https://cl.tvl.fyi/c/depot/+/9649
Reviewed-by: Brian McGee <brian@bmcgee.ie>
Tested-by: BuildkiteCI
---
 tvix/store/protos/pathinfo.go | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'tvix/store/protos/pathinfo.go')

diff --git a/tvix/store/protos/pathinfo.go b/tvix/store/protos/pathinfo.go
index 595a1b4fab..2c718c6245 100644
--- a/tvix/store/protos/pathinfo.go
+++ b/tvix/store/protos/pathinfo.go
@@ -2,6 +2,7 @@ package storev1
 
 import (
 	"bytes"
+	"crypto/sha256"
 	"encoding/base64"
 	"fmt"
 
@@ -20,6 +21,11 @@ func (p *PathInfo) Validate() (*storepath.StorePath, error) {
 
 	// If there's a Narinfo field populated..
 	if narInfo := p.GetNarinfo(); narInfo != nil {
+		// ensure the NarSha256 digest has the correct length.
+		if len(narInfo.GetNarSha256()) != sha256.Size {
+			return nil, fmt.Errorf("invalid number of bytes for NarSha256: expected %d, got %d", sha256.Size, len(narInfo.GetNarSha256()))
+		}
+
 		// ensure the number of references matches len(References).
 		if len(narInfo.GetReferenceNames()) != len(p.GetReferences()) {
 			return nil, fmt.Errorf("inconsistent number of references: %d (references) vs %d (narinfo)", len(narInfo.GetReferenceNames()), len(p.GetReferences()))
-- 
cgit 1.4.1