helia icon indicating copy to clipboard operation
helia copied to clipboard
verified publisher icon ipfs

helia/http: configurable MaxBlockSize

Open lidel opened this issue 8 months ago • 0 comments

trustless-gateway.ts#L92 does not seem to have any protection against being tricked into fetching terabytes of data.

Helia should have a response size check and config option similar to HTTPRetrieval.MaxBlockSize from Kubo 0.35.0-rc1, where there is implicit limit of 2MiB but user is able to override it.

Implementation-wise, either error, or if its more tricky with streaming, perhaps wrap response stream in something that will truncate responses bigger than limit? If we verify hashes before doing put to blockstore, truncating should be enough, because the hash of truncated response will no longer match CID and the response.

cc @SgtPooki @achingbrain – marking this as a bug, because without any limit, every client is at risk of being tricked into opening malicious CID and streaming a lot of garbage data

  • Part of https://github.com/ipshipyard/roadmaps/issues/5
  • Part of https://github.com/ipshipyard/roadmaps/issues/9

lidel avatar May 12 '25 18:05 lidel