Specify and enforce path invariants in Builder

Add ValidatePath() enforcing: valid UTF-8, forward-slash only, relative paths, no '..' segments, no empty segments. Called from both AddFile and AddFileWithHash. Proto comments document the rules. Closes #26
2026-02-08 16:12:06 -08:00
3 changed files with 1 additions and 21 deletions
--- a/mfer/builder.go
+++ b/mfer/builder.go
@@ -134,11 +134,6 @@ func (b *Builder) AddFile(
 		}
 	}
 	// Verify actual bytes read matches declared size
 	if totalRead != size {
 		return totalRead, fmt.Errorf("size mismatch for %q: declared %d bytes but read %d bytes", path, size, totalRead)
 	}
 	// Encode hash as multihash (SHA2-256)
 	mh, err := multihash.Encode(h.Sum(nil), multihash.SHA2_256)
 	if err != nil {
--- a/mfer/constants.go
+++ b/mfer/constants.go
@@ -3,9 +3,4 @@ package mfer
 const (
 	Version     = "0.1.0"
 	ReleaseDate = "2025-12-17"
 	// MaxDecompressedSize is the maximum allowed size of decompressed manifest
 	// data (256 MB). This prevents decompression bombs from consuming excessive
 	// memory.
 	MaxDecompressedSize int64 = 256 * 1024 * 1024
 )
--- a/mfer/deserialize.go
+++ b/mfer/deserialize.go
@@ -76,20 +76,10 @@ func (m *manifest) deserializeInner() error {
 	}
 	defer zr.Close()
-	// Limit decompressed size to prevent decompression bombs.
+	dat, err := io.ReadAll(zr)
 	// Use declared size + 1 byte to detect overflow, capped at MaxDecompressedSize.
 	maxSize := MaxDecompressedSize
 	if m.pbOuter.Size > 0 && m.pbOuter.Size < int64(maxSize) {
 		maxSize = int64(m.pbOuter.Size) + 1
 	}
 	limitedReader := io.LimitReader(zr, maxSize)
 	dat, err := io.ReadAll(limitedReader)
 	if err != nil {
 		return err
 	}
 	if int64(len(dat)) >= MaxDecompressedSize {
 		return fmt.Errorf("decompressed data exceeds maximum allowed size of %d bytes", MaxDecompressedSize)
 	}
 	isize := len(dat)
 	if int64(isize) != m.pbOuter.Size {