fix: enforce max identity digest size #331
Conversation
|
I don't think this is the right place to do this, they are not strictly limited by the ecosystem, you can make them if you want, it's just that some layers of the stack will reject it, so it's up to the creator to decide on this and I'm not convinced that we should just rule it out wholesale because not everyone using this library is passing data through helia or boxo. See ipfs/boxo#1018 for background. |
|
Ahh, got it! |
|
ipfs/helia#865 seems to be able to do this on the Helia side. I'd say that's the right place to do this; although I'm open to the possibility of making it easier here to add enforcement at higher layers of the stack, I'm just not keen on strictly doing it right at the bottom layer, thereby ruling out legitimate uses people might have for long identity hashes—they're not a good idea, but someone should be able to do this in their own isolated system I think (although this is not a very strongly held opinion, don't take this as me being dogmatic). |
2 participants
Enforces a maximum digest size of 128 bytes for identity multihashes.
In ipfs/helia, currently allows creation of identity CIDs with arbitrarily large digests.
This can lead to oversized inline CIDs being generated, which poses risks for gateways and blockstores (DoS, unbounded memory growth, etc)
ref: ipfs/helia#846