Kayos
9d6c7cffbe
Independent code audit (in-repo, fresh-eyes pass) flagged 0 critical, 4
high, 8 medium, 7 low. This commit addresses all 4 highs + the JSON
error-path inconsistency + the vestigial verify.STM stub.
HIGH fixes:
- cmd/mithril-go/main.go fetchCertRaw: missing status check let HTML 4xx/5xx
bodies fall through to confusing JSON-decode errors. Added explicit
StatusCode>=400 check + 16 MiB response body cap + Accept header.
- internal/artifact/download.go: SHA mismatch left .part on disk, causing
every retry to resume the corrupted bytes and fail SHA forever. Now
removes .part on hash mismatch so the next attempt starts clean.
- internal/stm/types.go DecodeAVK: rejects total_stake=0 and nr_leaves=0
at decode-time. internal/stm/lottery.go adds defensive guard for
stake==0 || totalStake==0 to prevent big.Rat.SetFrac panic (DoS vector
for the MCP server when fed crafted AVK).
- internal/stm/merkle.go: now requires (a) every proof value is exactly
32 bytes, (b) indices are STRICTLY ascending (no duplicates),
(c) every index is < nr_leaves, (d) all proof values are consumed by
the algorithm. Prevents parser-differential bugs vs upstream Rust.
JSON error-path wiring:
- cmd/mithril-go/json.go: replaced unused emitJSONErr with failure() helper
that routes errors to stdout-as-JSON when -json is set, else stderr-as-text.
Error envelope shape: {error: {code, kind, message}} where 'kind' is a
stable short string (network/integrity/verify/usage/internal) for agents
to branch on without parsing human text.
- All -json-supporting commands (info, list, show, cert, verify+subcommands)
now use failure() in error paths instead of bare fmt.Fprintln(stderr).
- Verified: 'verify -json deadbeef' on a bogus hash now emits valid JSON
to stdout with exit=3, instead of empty stdout + text on stderr.
Vestigial code:
- internal/verify/verify.go: removed STM() stub + ErrSTMNotImplemented.
Real STM verification has lived in internal/stm/verify.go since the
crypto sprint; the stub was dead code from milestone-by-milestone work.
Verification (still all green):
- preprod chain: 90 certs, 1124 wins ✓
- mainnet head: 59 signers, 1972 wins ✓
- preprod head: 2 signers, 11 wins ✓
- preprod genesis: Ed25519 ✓
- JSON error envelope on bogus hash: well-formed JSON, exit=3
- internal/stm unit test: PASS
Audit findings deferred to v1.0.2+: bubble-sort in stm.Verify (medium,
perf only at scale); int-vs-uint64 truncation guards on 32-bit targets
(medium, won't bite on 64-bit); tar mode-bit masking (medium, low impact
since archives are from trusted aggregator); no User-Agent header on
aggregator requests (low, op nicety); MCP scanner silent stop on >10 MiB
line (low, defensive).
151 lines
4.2 KiB
Go
151 lines
4.2 KiB
Go
// Package artifact handles downloading and extracting Mithril snapshot artifacts.
|
|
package artifact
|
|
|
|
import (
|
|
"context"
|
|
"crypto/sha256"
|
|
"encoding/hex"
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
"net/http"
|
|
"os"
|
|
"path/filepath"
|
|
"time"
|
|
)
|
|
|
|
// ProgressFn is called with (bytesRead, totalBytes) where totalBytes is
|
|
// taken from the response Content-Length (0 if unknown — server didn't send).
|
|
type ProgressFn func(read, total int64)
|
|
|
|
// Download fetches a URL to destPath, resuming from a .part file if one
|
|
// exists. If expectedSHA256 is non-empty, the final file is integrity-checked.
|
|
// Progress is reported via the supplied callback (called with current bytes).
|
|
//
|
|
// Design notes:
|
|
// - No parallel chunks yet; a single streaming GET is fine for sub-GB
|
|
// artifacts and keeps the first working version simple. Range-chunk
|
|
// parallelism will land in v2 once extraction is end-to-end tested.
|
|
// - Resume is implemented via the HTTP Range header against the existing
|
|
// .part file size; falls back to full download if the server refuses.
|
|
// - destPath is atomically replaced only after SHA validation passes.
|
|
func Download(ctx context.Context, uri, destPath, expectedSHA256 string, progress ProgressFn) error {
|
|
if err := os.MkdirAll(filepath.Dir(destPath), 0o755); err != nil {
|
|
return fmt.Errorf("mkdir: %w", err)
|
|
}
|
|
partPath := destPath + ".part"
|
|
var existing int64
|
|
if fi, err := os.Stat(partPath); err == nil {
|
|
existing = fi.Size()
|
|
}
|
|
|
|
req, err := http.NewRequestWithContext(ctx, http.MethodGet, uri, nil)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if existing > 0 {
|
|
req.Header.Set("Range", fmt.Sprintf("bytes=%d-", existing))
|
|
}
|
|
|
|
client := &http.Client{Timeout: 0} // artifacts can be GB-scale
|
|
resp, err := client.Do(req)
|
|
if err != nil {
|
|
return fmt.Errorf("GET %s: %w", uri, err)
|
|
}
|
|
defer resp.Body.Close()
|
|
|
|
var out *os.File
|
|
switch resp.StatusCode {
|
|
case http.StatusPartialContent:
|
|
out, err = os.OpenFile(partPath, os.O_APPEND|os.O_WRONLY, 0o644)
|
|
case http.StatusOK:
|
|
// Server ignored our range; start over.
|
|
existing = 0
|
|
out, err = os.Create(partPath)
|
|
default:
|
|
body, _ := io.ReadAll(io.LimitReader(resp.Body, 2048))
|
|
return fmt.Errorf("GET %s: %d: %s", uri, resp.StatusCode, string(body))
|
|
}
|
|
if err != nil {
|
|
return fmt.Errorf("open part: %w", err)
|
|
}
|
|
defer out.Close()
|
|
|
|
h := sha256.New()
|
|
// If we're resuming, we need to re-hash the existing bytes.
|
|
if existing > 0 {
|
|
prev, err := os.Open(partPath)
|
|
if err == nil {
|
|
io.Copy(h, prev)
|
|
prev.Close()
|
|
}
|
|
}
|
|
|
|
// totalBytes = existing + response.ContentLength if server sent one;
|
|
// for resumed partial responses Content-Length is the remaining, not total.
|
|
var totalSize int64
|
|
if resp.ContentLength > 0 {
|
|
totalSize = existing + resp.ContentLength
|
|
}
|
|
|
|
w := io.MultiWriter(out, h)
|
|
read := existing
|
|
buf := make([]byte, 256*1024)
|
|
lastProgress := time.Now()
|
|
for {
|
|
n, rerr := resp.Body.Read(buf)
|
|
if n > 0 {
|
|
if _, werr := w.Write(buf[:n]); werr != nil {
|
|
return fmt.Errorf("write: %w", werr)
|
|
}
|
|
read += int64(n)
|
|
if progress != nil && time.Since(lastProgress) > 250*time.Millisecond {
|
|
progress(read, totalSize)
|
|
lastProgress = time.Now()
|
|
}
|
|
}
|
|
if rerr == io.EOF {
|
|
break
|
|
}
|
|
if rerr != nil {
|
|
return fmt.Errorf("read: %w", rerr)
|
|
}
|
|
}
|
|
if progress != nil {
|
|
progress(read, totalSize)
|
|
}
|
|
if err := out.Close(); err != nil {
|
|
return err
|
|
}
|
|
|
|
if expectedSHA256 != "" {
|
|
got := hex.EncodeToString(h.Sum(nil))
|
|
if got != expectedSHA256 {
|
|
// Remove the .part file — leaving it behind would cause every
|
|
// subsequent retry to resume from the same corrupted bytes and
|
|
// fail SHA again indefinitely.
|
|
_ = os.Remove(partPath)
|
|
return fmt.Errorf("SHA256 mismatch: want %s, got %s", expectedSHA256, got)
|
|
}
|
|
}
|
|
|
|
return os.Rename(partPath, destPath)
|
|
}
|
|
|
|
var ErrNoLocations = errors.New("no download locations available")
|
|
|
|
// DownloadFirst tries each URI in order until one succeeds.
|
|
func DownloadFirst(ctx context.Context, uris []string, destPath, expectedSHA256 string, progress ProgressFn) error {
|
|
if len(uris) == 0 {
|
|
return ErrNoLocations
|
|
}
|
|
var lastErr error
|
|
for _, uri := range uris {
|
|
if err := Download(ctx, uri, destPath, expectedSHA256, progress); err != nil {
|
|
lastErr = err
|
|
continue
|
|
}
|
|
return nil
|
|
}
|
|
return fmt.Errorf("all locations failed: last error: %w", lastErr)
|
|
}
|