Merge pull request ipfs/go-blockservice#25 from ipfs/revert-23-fix/remove-verifcid

Kubuxu · web-flow · commit 10d148a3666f · 2019-02-28T20:20:25.000+01:00
Revert "Remove verifcid as it is handled in go-cid" This commit was moved from ipfs/go-blockservice@6f4459a
diff --git a/blockservice/blockservice.go b/blockservice/blockservice.go
@@ -14,6 +14,7 @@ import (
 	blockstore "github.com/ipfs/go-ipfs-blockstore"
 	exchange "github.com/ipfs/go-ipfs-exchange-interface"
 	logging "github.com/ipfs/go-log"
+	"github.com/ipfs/go-verifcid"
 )
 
 var log = logging.Logger("blockservice")
@@ -130,6 +131,11 @@ func NewSession(ctx context.Context, bs BlockService) *Session {
 // TODO pass a context into this if the remote.HasBlock is going to remain here.
 func (s *blockService) AddBlock(o blocks.Block) error {
 	c := o.Cid()
+	// hash security
+	err := verifcid.ValidateCid(c)
+	if err != nil {
+		return err
+	}
 	if s.checkFirst {
 		if has, err := s.blockstore.Has(c); has || err != nil {
 			return err
@@ -150,6 +156,13 @@ func (s *blockService) AddBlock(o blocks.Block) error {
 }
 
 func (s *blockService) AddBlocks(bs []blocks.Block) error {
+	// hash security
+	for _, b := range bs {
+		err := verifcid.ValidateCid(b.Cid())
+		if err != nil {
+			return err
+		}
+	}
 	var toput []blocks.Block
 	if s.checkFirst {
 		toput = make([]blocks.Block, 0, len(bs))
@@ -198,6 +211,11 @@ func (s *blockService) getExchange() exchange.Fetcher {
 }
 
 func getBlock(ctx context.Context, c cid.Cid, bs blockstore.Blockstore, fget func() exchange.Fetcher) (blocks.Block, error) {
+	err := verifcid.ValidateCid(c) // hash security
+	if err != nil {
+		return nil, err
+	}
+
 	block, err := bs.Get(c)
 	if err == nil {
 		return block, nil
@@ -241,6 +259,18 @@ func getBlocks(ctx context.Context, ks []cid.Cid, bs blockstore.Blockstore, fget
 	go func() {
 		defer close(out)
 
+		k := 0
+		for _, c := range ks {
+			// hash security
+			if err := verifcid.ValidateCid(c); err == nil {
+				ks[k] = c
+				k++
+			} else {
+				log.Errorf("unsafe CID (%s) passed to blockService.GetBlocks: %s", c, err)
+			}
+		}
+		ks = ks[:k]
+
 		var misses []cid.Cid
 		for _, c := range ks {
 			hit, err := bs.Get(c)
