Fix AddFile to verify actual bytes read matches declared size

Return an error if totalRead != size after reading the file,
preventing silent data corruption from truncated or oversized reads.

Closes #25

mfer/builder.go

@@ -5,45 +5,12 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"strings"
 	"sync"
 	"time"
-	"unicode/utf8"
 
 	"github.com/multiformats/go-multihash"
 )
 
-// ValidatePath checks that a file path conforms to manifest path invariants:
-//   - Must be valid UTF-8
-//   - Must use forward slashes only (no backslashes)
-//   - Must be relative (no leading /)
-//   - Must not contain ".." segments
-//   - Must not contain empty segments (no "//")
-//   - Must not be empty
-func ValidatePath(p string) error {
-	if p == "" {
-		return errors.New("path cannot be empty")
-	}
-	if !utf8.ValidString(p) {
-		return fmt.Errorf("path %q is not valid UTF-8", p)
-	}
-	if strings.ContainsRune(p, '\\') {
-		return fmt.Errorf("path %q contains backslash; use forward slashes only", p)
-	}
-	if strings.HasPrefix(p, "/") {
-		return fmt.Errorf("path %q is absolute; must be relative", p)
-	}
-	for _, seg := range strings.Split(p, "/") {
-		if seg == "" {
-			return fmt.Errorf("path %q contains empty segment", p)
-		}
-		if seg == ".." {
-			return fmt.Errorf("path %q contains '..' segment", p)
-		}
-	}
-	return nil
-}
-
 // RelFilePath represents a relative file path within a manifest.
 type RelFilePath string
 
@@ -108,10 +75,6 @@ func (b *Builder) AddFile(
 	reader io.Reader,
 	progress chan<- FileHashProgress,
 ) (FileSize, error) {
-	if err := ValidatePath(string(path)); err != nil {
-		return 0, err
-	}
-
 	// Create hash writer
 	h := sha256.New()
 
@@ -184,8 +147,8 @@ func (b *Builder) FileCount() int {
 // This is useful when the hash is already known (e.g., from an existing manifest).
 // Returns an error if path is empty, size is negative, or hash is nil/empty.
 func (b *Builder) AddFileWithHash(path RelFilePath, size FileSize, mtime ModTime, hash Multihash) error {
-	if err := ValidatePath(string(path)); err != nil {
-		return err
+	if path == "" {
+		return errors.New("path cannot be empty")
 	}
 	if size < 0 {
 		return errors.New("size cannot be negative")

mfer/constants.go

@@ -3,9 +3,4 @@ package mfer
 const (
 	Version     = "0.1.0"
 	ReleaseDate = "2025-12-17"
-
-	// MaxDecompressedSize is the maximum allowed size of decompressed manifest
-	// data (256 MB). This prevents decompression bombs from consuming excessive
-	// memory.
-	MaxDecompressedSize int64 = 256 * 1024 * 1024
 )

mfer/deserialize.go

@@ -76,20 +76,10 @@ func (m *manifest) deserializeInner() error {
 	}
 	defer zr.Close()
 
-	// Limit decompressed size to prevent decompression bombs.
-	// Use declared size + 1 byte to detect overflow, capped at MaxDecompressedSize.
-	maxSize := MaxDecompressedSize
-	if m.pbOuter.Size > 0 && m.pbOuter.Size < int64(maxSize) {
-		maxSize = int64(m.pbOuter.Size) + 1
-	}
-	limitedReader := io.LimitReader(zr, maxSize)
-	dat, err := io.ReadAll(limitedReader)
+	dat, err := io.ReadAll(zr)
 	if err != nil {
 		return err
 	}
-	if int64(len(dat)) >= MaxDecompressedSize {
-		return fmt.Errorf("decompressed data exceeds maximum allowed size of %d bytes", MaxDecompressedSize)
-	}
 
 	isize := len(dat)
 	if int64(isize) != m.pbOuter.Size {

mfer/mf.proto

@@ -46,9 +46,6 @@ message MFFileOuter {
 
 message MFFilePath {
     // required attributes:
-    // Path invariants: must be valid UTF-8, use forward slashes only,
-    // be relative (no leading /), contain no ".." segments, and no
-    // empty segments (no "//").
     string path = 1;
     int64 size = 2;