From a0bf9ecf43e3475989b1e70c9a574eac9354b540 Mon Sep 17 00:00:00 2001 From: redaphid Date: Tue, 21 Jun 2022 12:21:25 -0700 Subject: [PATCH 1/3] feat: Validate pin origins Closes #536 From 62b5caaa7e2091d6f857f365d0f365dafb4a9359 Mon Sep 17 00:00:00 2001 From: redaphid Date: Tue, 21 Jun 2022 12:31:06 -0700 Subject: [PATCH 2/3] add check for non-multiaddr origins --- packages/api/test/pin-add.spec.js | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/packages/api/test/pin-add.spec.js b/packages/api/test/pin-add.spec.js index d03cec769d..201e789719 100644 --- a/packages/api/test/pin-add.spec.js +++ b/packages/api/test/pin-add.spec.js @@ -182,6 +182,23 @@ describe('Pin add ', () => { }) }) + it('should error pinning with non-multiaddr origins', async () => { + // expected CID for the above data + const cid = 'bafkreidvbhs33ighmljlvr7zbv2ywwzcmp5adtf4kqvlly67cy56bdtmve' + const res = await fetch('pins', { + method: 'POST', + headers: { Authorization: `Bearer ${client.token}` }, + body: JSON.stringify({ cid, origins: ['garlic-barber'] }), + }) + const value = await res.json() + assert.deepStrictEqual(value, { + error: { + reason: 'INVALID_PIN_DATA', + details: 'invalid origins', + }, + }) + }) + it('should pin to cluster by source CID', async () => { const cidv0 = 'QmXRdb4vemfS7Z6EL2p47XdjRatZ5Ne8DEnwr5uaHqXnak' const cidv1 = CID.parse(cidv0).toV1().toString() From f680588850afdfa77c87ecad781a0b7fd2d04e2c Mon Sep 17 00:00:00 2001 From: redaphid Date: Tue, 21 Jun 2022 14:18:37 -0700 Subject: [PATCH 3/3] debugging pin origins array crash when the origin array has multiaddresses --- packages/api/src/routes/pins-add.js | 22 ++++++++++++++++++-- packages/api/test/pin-add.spec.js | 31 +++++++++++++++++++++++++++-- 2 files changed, 49 insertions(+), 4 deletions(-) diff --git a/packages/api/src/routes/pins-add.js b/packages/api/src/routes/pins-add.js index 52acfea840..7d7392463e 100644 --- a/packages/api/src/routes/pins-add.js +++ b/packages/api/src/routes/pins-add.js @@ -3,6 +3,7 @@ import * as cluster from '../cluster.js' import { checkAuth, validate } from '../utils/auth.js' import { parseCidPinning } from '../utils/utils.js' import { toPinsResponse } from '../utils/db-transforms.js' +import { Multiaddr } from 'multiaddr' /** @type {import('../bindings').Handler} */ export async function pinsAdd(event, ctx) { @@ -45,11 +46,28 @@ export async function pinsAdd(event, ctx) { Object.entries(pinData.meta).filter(([, v]) => typeof v === 'string') ) } - + // validate origins + if (pinData.origins && pinData.origins.length !== 0) { + for (const o of pinData.origins) { + try { + const multi = new Multiaddr(o) + continue + } catch { + return new JSONResponse( + { + error: { + reason: 'INVALID_PIN_DATA', + details: `invalid origins: ${o} is not a multiaddr`, + }, + }, + { status: 400 } + ) + } + } + } await cluster.pin(cid.sourceCid, { origins: pinData.origins, }) - const upload = await db.createUpload({ type: 'Remote', content_cid: cid.contentCid, diff --git a/packages/api/test/pin-add.spec.js b/packages/api/test/pin-add.spec.js index 201e789719..a1d47102c6 100644 --- a/packages/api/test/pin-add.spec.js +++ b/packages/api/test/pin-add.spec.js @@ -1,5 +1,6 @@ import assert from 'assert' import { CID } from 'multiformats' +import { Multiaddr } from 'multiaddr' import { createClientWithUser, DBTestClient, @@ -182,8 +183,33 @@ describe('Pin add ', () => { }) }) + it('should be ok pinning with an empty origins array', async () => { + const cid = 'bafkreidvbhs33ighmljlvr7zbv2ywwzcmp5adtf4kqvlly67cy56bdtmve' + const res = await fetch('pins', { + method: 'POST', + headers: { Authorization: `Bearer ${client.token}` }, + body: JSON.stringify({ cid, origins: [] }), + }) + const value = await res.json() + assert.deepStrictEqual(value.status, 'queued') + }) + + it.only('should be ok pinning an origins array with multiaddresses', async () => { + const cid = 'bafkreidvbhs33ighmljlvr7zbv2ywwzcmp5adtf4kqvlly67cy56bdtmve' + const multiOrigin = Multiaddr.fromNodeAddress( + { address: '127.0.0.1', port: 4001, family: 4 }, + 'tcp' + ) + const res = await fetch('pins', { + method: 'POST', + headers: { Authorization: `Bearer ${client.token}` }, + body: JSON.stringify({ cid, origins: [multiOrigin] }), + }) + const value = await res.json() + assert.deepStrictEqual(value, 'queued') + }) + it('should error pinning with non-multiaddr origins', async () => { - // expected CID for the above data const cid = 'bafkreidvbhs33ighmljlvr7zbv2ywwzcmp5adtf4kqvlly67cy56bdtmve' const res = await fetch('pins', { method: 'POST', @@ -194,7 +220,8 @@ describe('Pin add ', () => { assert.deepStrictEqual(value, { error: { reason: 'INVALID_PIN_DATA', - details: 'invalid origins', + details: + 'invalid origins: one or more of the origins are not a multiaddr', }, }) })