-
-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(gateway): TAR response format #9029
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for driving this @hacdias
Looks sensible, next steps:
- Update
http-gateways/PATH_GATEWAY.md
specs- Rationale: downloading UnixFS directory as TAR massively increases utility of gateways in use cases where CAR is not necessary, so this should be part of the spec
- PR against my PR (Add HTTP Gateway Specs specs#283) for now
- needs sharness test that downloads a directory as TAR and saves it to disk (curl piped to tar command should be enough)
04248e4
to
39f1cb4
Compare
@lidel thanks for the review. I added two tests (not sure if on the right file).
|
3e895e2
to
d82f396
Compare
d82f396
to
a3b08be
Compare
(I have unfinished review of this pending and some local test code, re-assigning to myself, as some notes for implementers need to be bubbled up to IPIP) |
96bcd7e
to
54fbf94
Compare
To test the security concern raised by @lidel in this comment regarding overwriting files by having custom relative paths inside a custom made UnixFS DAG, I... built my own DAG that tries to exploit that same issue. CID:
I just pushed a WIP version of a "Base Dir TAR Writer" which is essentially a copy of the TAR Writer in if !strings.HasPrefix(fpath, w.baseDir) {
fpath = strings.Replace(fpath, ".", "", -1)
fpath = strings.Replace(fpath, "..", "", -1)
fpath = path.Join(w.baseDir, fpath)
} It does what it is supposed to do (only tested locally, no testcase). Some things I'm still unhappy with:
Note that the original TAR Writer is also used in Thoughts? /cc @lidel |
I haven't been following the details closely, but I know we have had security issues with tar issues over the years. Can we make sure the security hardening is all in one place and shared across the stack (rather than copy and pasted)? |
I definitely agree and I think it'd be better to just update this on go-ipfs-files. However, I also want to ensure that everyone agrees with the strategy. Right now, all files that would otherwise fall outside the root directory are forced to stay within the root directory. This does not keep the tree structure. Yesterday during the colo @lidel mentioned that it could also be a great idea to just return an error and fail building the TAR. That is the behaviour of And also: Instead of failing during the TAR unpacking, we can make it fail during the TAR creation, covering all cases where malicious TARs may be created. However, as @lidel mentioned yesterday, this may break someone else's use case (any idea?). But so would truncating the paths. Nowadays we always have CAR files where the user can always download the RAW, unmodified data if they please. So two options:
In either case, I will be updating the original TarWriter in https://github.com/ipfs/go-ipfs-files. /cc @lidel |
|
340dbbf
to
5386136
Compare
- shortened etag - added tests - moved weak etag to _tar.go file + added bunch of comments why
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you @hacdias, let's include this in Kubo 0.17-rc1 (will merge after CI passes).
(pushed some cosmetic changes around Etag + added entry to changelog)
Summary
How to use it
HTTP clients can request TAR response by passing the
?format=tar
URLparameter, or setting
Accept: application/x-tar
HTTP header:Tasks
TarWriter
to fail if there's UnixFS files pointing outside the root directory: fix: error when TAR has files outside of root go-ipfs-files#56 with tests.Things to note:
ipfs get --archive
in the sense that if a UnixFS directory contains a path that points to outside of its root, it fails to build the TAR archive. This way we prevent possible malicious TAR archives in all fronts. The user is suggested to use CAR archives iff they want the raw data.X-Stream-Error
) in order to indicate an error. Since browsers cannot detect this kind of errors (http.headers.Trailer - reading trailers not supported by Fetch API mdn/browser-compat-data#14703), we forcefully try to close the connection to generate a network error on the user side.Closes #7746