Skip to content

fix dataitem verification #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

fix dataitem verification #3

wants to merge 1 commit into from

Conversation

@nikooo777
Copy link

@nikooo777 nikooo777 commented Jan 16, 2025

Currently, arbundles implementations don't correctly implement the ANS-104 spec.

Specifically: https://github.com/ArweaveTeam/arweave-standards/blob/master/ans/ANS-104.md#21-verifying-a-dataitem

A DataItem is valid iff.1:

id matches the signature (via SHA-256 of the signature)
signature matches the owner's public key
tags are all valid
an anchor isn't more than 32 bytes

A tag object is valid iff.:

there are <= 128 tags
each key is <= 1024 bytes
each value is <= 3072 bytes
only contains a key and value
both the key and value are non-empty strings

This PR aims at successfully verifying dataitems with tags together exceeding 4092 bytes in size but remaining within the per-tag threshold.
It also adds anchor validation.

As bonus point, a couple of vulnerable dependencies are updated.

@nikooo777
fix dataitem verification
063f6a9 
add anchor validation
update vulnerable dependencies
update arweave dep
fedellen
fedellen reviewed Jan 22, 2025
View reviewed changes
src/DataItem.ts
Comment on lines +247 to +252
if (nameLen === 0 || nameLen > MAX_TAG_KEY_LENGTH) {
return false;
}
if (valueLen === 0 || valueLen > MAX_TAG_VALUE_LENGTH) {
return false;
}
Copy link

@fedellen fedellen Jan 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While this does respect the documented spec, there are existing apps and integrations using empty strings on name and value through Turbo

Suggested change
if (nameLen === 0 || nameLen > MAX_TAG_KEY_LENGTH) {
return false;
}
if (valueLen === 0 || valueLen > MAX_TAG_VALUE_LENGTH) {
return false;
}
if nameLen > MAX_TAG_KEY_LENGTH) {
return false;
}
if (valueLen > MAX_TAG_VALUE_LENGTH) {
return false;
}

Copy link
Author

@nikooo777 nikooo777 Jan 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I appreciate the input.
Apparently there are more instances of other projects violating the spec, so I think the only real change that stands a chance of getting eventually merged is going to be one where we simply check that there are at most 128 tags and each tag (name+val) is 4KB at most.

@nikooo777 nikooo777 mentioned this pull request Aug 7, 2025
Open
@nikooo777
Copy link
Author

nikooo777 commented Aug 7, 2025

closed in favor of #6

@nikooo777 nikooo777 closed this Aug 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@fedellen fedellen fedellen left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nikooo777 @fedellen