boxo icon indicating copy to clipboard operation
boxo copied to clipboard
verified publisher icon ipfs

fix(gateway): prevent blocked CIDs in CAR responses

Open lidel opened this issue 4 months ago • 1 comments

[!WARNING] This wip experimentation to see gateway-conformance regressions, not ready for review yet.

  • Depends on:
    • https://github.com/ipfs-shipyard/nopfs/pull/50
    • https://github.com/ipfs/gateway-conformance/pull/244
    • https://github.com/ipfs/gateway-conformance/pull/245
  • Closes #458

fix for ipfs/kubo#10361

The gateway was including blocked CIDs in CAR format responses, bypassing content filtering policies.

The fix separates the DAGService usage in GetCAR:

  • nodeGetterToCarExporer continues wrapping for path resolution
  • Original dagService is now used for blockOpener during traversal
  • blockOpener returns traversal.SkipMe{} for blocked content
  • Added detailed comments explaining the blocking architecture

This ensures blocked content is filtered from CAR responses while allowing partial CAR generation when internal blocks are blocked.

  • Tests in Kubo PR: https://github.com/ipfs/kubo/pull/10948

fix for https://github.com/ipfs/boxo/issues/458

We wait with headers until first block, and return 410 / 404 when we know we can't serve the data.

lidel avatar Aug 30 '25 01:08 lidel

Codecov Report

:x: Patch coverage is 36.55172% with 92 lines in your changes missing coverage. Please review. :white_check_mark: Project coverage is 60.50%. Comparing base (15a5643) to head (1ac242a).

Files with missing lines Patch % Lines
gateway/backend_blocks.go 37.73% 65 Missing and 1 partial :warning:
gateway/backend_car_fetcher.go 0.00% 18 Missing :warning:
gateway/errors.go 33.33% 6 Missing and 2 partials :warning:

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #1019      +/-   ##
==========================================
- Coverage   60.53%   60.50%   -0.04%     
==========================================
  Files         267      267              
  Lines       33269    33349      +80     
==========================================
+ Hits        20140    20177      +37     
- Misses      11467    11509      +42     
- Partials     1662     1663       +1
Files with missing lines Coverage Δ
gateway/handler_car.go 79.79% <100.00%> (ø)
gateway/errors.go 81.69% <33.33%> (-4.32%) :arrow_down:
gateway/backend_car_fetcher.go 69.15% <0.00%> (-9.57%) :arrow_down:
gateway/backend_blocks.go 42.51% <37.73%> (+0.42%) :arrow_up:

... and 7 files with indirect coverage changes

:rocket: New features to boost your workflow:
  • :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

codecov[bot] avatar Aug 30 '25 01:08 codecov[bot]