mirror of
https://github.com/mudler/LocalAI.git
synced 2026-05-18 05:33:09 -04:00
670259ce43
* fix(http): close 0.0.0.0/[::] SSRF bypass in /api/cors-proxy The CORS proxy carried its own private-network blocklist (RFC 1918 + a handful of IPv6 ranges) instead of using the same classification as pkg/utils/urlfetch.go. The hand-rolled list missed 0.0.0.0/8 and ::/128, both of which Linux routes to localhost — so any user with FeatureMCP (default-on for new users) could reach LocalAI's own listener and any other service bound to 0.0.0.0:port via: GET /api/cors-proxy?url=http://0.0.0.0:8080/... GET /api/cors-proxy?url=http://[::]:8080/... Replace the custom check with utils.IsPublicIP (Go stdlib IsLoopback / IsLinkLocalUnicast / IsPrivate / IsUnspecified, plus IPv4-mapped IPv6 unmasking) and add an upfront hostname rejection for localhost, *.local, and the cloud metadata aliases so split-horizon DNS can't paper over the IP check. The IP-pinning DialContext is unchanged: the validated IP from the single resolution is reused for the connection, so DNS rebinding still cannot swap a public answer for a private one between validate and dial. Regression tests cover 0.0.0.0, 0.0.0.0:PORT, [::], ::ffff:127.0.0.1, ::ffff:10.0.0.1, file://, gopher://, ftp://, localhost, 127.0.0.1, 10.0.0.1, 169.254.169.254, metadata.google.internal. Assisted-by: Claude:claude-opus-4-7 [Claude Code] Signed-off-by: Richard Palethorpe <io@richiejp.com> * fix(downloader): verify SHA before promoting temp file to final path DownloadFileWithContext renamed the .partial file to its final name *before* checking the streamed SHA, so a hash mismatch returned an error but left the tampered file at filePath. Subsequent code that operated on filePath (a backend launcher, a YAML loader, a re-download that finds the file already present and skips) would consume the attacker-supplied bytes. Reorder: verify the streamed hash first, remove the .partial on mismatch, then rename. The streamed hash is computed during io.Copy so no second read is needed. While here, raise the empty-SHA case from a Debug log to a Warn so "this download had no integrity check" is visible at the default log level. Backend installs currently pass through with no digest; the warning makes that footprint observable without changing behaviour. Regression test asserts os.IsNotExist on the destination after a deliberate SHA mismatch. Assisted-by: Claude:claude-opus-4-7 [Claude Code] Signed-off-by: Richard Palethorpe <io@richiejp.com> * fix(auth): require email_verified for OIDC admin promotion extractOIDCUserInfo read the ID token's "email" claim but never inspected "email_verified". With LOCALAI_ADMIN_EMAIL set, an attacker who could register on the configured OIDC IdP under that email (some IdPs accept self-supplied unverified emails) inherited admin role: - first login: AssignRole(tx, email, adminEmail) → RoleAdmin - re-login: MaybePromote(db, user, adminEmail) → flip to RoleAdmin Add EmailVerified to oauthUserInfo, parse email_verified from the OIDC claims (default false on absence so an IdP that omits the claim cannot short-circuit the gate), and substitute "" for the role-decision email when verified=false via emailForRoleDecision. The user record still stores the unverified email for display. GitHub's path defaults EmailVerified=true: GitHub only returns a public profile email after verification, and fetchGitHubPrimaryEmail explicitly filters to Verified=true. Regression tests cover both the helper contract and integration with AssignRole, including the bootstrap "first user" branch that would otherwise mask the gate. Assisted-by: Claude:claude-opus-4-7 [Claude Code] Signed-off-by: Richard Palethorpe <io@richiejp.com> * feat(cli): refuse public bind when no auth backend is configured When neither an auth DB nor a static API key is set, the auth middleware passes every request through. That is fine for a developer laptop, a home LAN, or a Tailnet — the network itself is the trust boundary. It is not fine on a public IP, where every model install, settings change, and admin endpoint becomes reachable from the internet. Refuse to start in that exact configuration. Loopback, RFC 1918, RFC 4193 ULA, link-local, and RFC 6598 CGNAT (Tailscale's default range) all count as trusted; wildcard binds (`:port`, `0.0.0.0`, `[::]`) are accepted only when every host interface is in one of those ranges. Hostnames are resolved and treated as trusted only when every answer is. A new --allow-insecure-public-bind / LOCALAI_ALLOW_INSECURE_PUBLIC_BIND flag opts out for deployments that gate access externally (a reverse proxy enforcing auth, a mesh ACL, etc.). The error message lists this plus the three constructive alternatives (bind a private interface, enable --auth, set --api-keys). The interface enumeration goes through a package-level interfaceAddrsFn var so tests can simulate cloud-VM, home-LAN, Tailscale-only, and enumeration-failure topologies without poking at the real network stack. Assisted-by: Claude:claude-opus-4-7 [Claude Code] Signed-off-by: Richard Palethorpe <io@richiejp.com> * test(http): regression-test the localai_assistant admin gate ChatEndpoint already rejects metadata.localai_assistant=true from a non-admin caller, but the gate was open-coded inline with no direct test coverage. The chat route is FeatureChat-gated (default-on), and the assistant's in-process MCP server can install/delete models and edit configs — the wrong handler change would silently turn the LLM into a confused deputy. Extract the gate into requireAssistantAccess(c, authEnabled) and pin its behaviour: auth disabled is a no-op, unauthenticated is 403, RoleUser is 403, RoleAdmin and the synthetic legacy-key admin are admitted. No behaviour change in the production path. Assisted-by: Claude:claude-opus-4-7 [Claude Code] Signed-off-by: Richard Palethorpe <io@richiejp.com> * test(http): assert every API route is auth-classified The auth middleware classifies path prefixes (/api/, /v1/, /models/, etc.) as protected and treats anything else as a static-asset passthrough. A new endpoint shipped under a brand-new prefix — or a new path that simply isn't on the prefix allowlist — would be reachable anonymously. Walk every route registered by API() with auth enabled and a fresh in-memory database (no users, no keys), and assert each API-prefixed route returns 401 / 404 / 405 to an anonymous request. Public surfaces (/api/auth/*, /api/branding, /api/node/* token-authenticated routes, /healthz, branding asset server, generated-content server, static assets) are explicit allowlist entries with comments justifying them. Build-tagged 'auth' so it runs against the SQLite-backed auth DB (matches the existing auth suite). Assisted-by: Claude:claude-opus-4-7 [Claude Code] Signed-off-by: Richard Palethorpe <io@richiejp.com> * test(http): pin agent endpoint per-user isolation contract agents.go's getUserID / effectiveUserID / canImpersonateUser / wantsAllUsers helpers are the single trust boundary for cross-user access on agent, agent-jobs, collections, and skills routes. A regression there is the difference between "regular user reads their own data" and "regular user reads anyone's data via ?user_id=victim". Lock in the contract: - effectiveUserID ignores ?user_id= for unauthenticated and RoleUser - effectiveUserID honours it for RoleAdmin and ProviderAgentWorker - wantsAllUsers requires admin AND the literal "true" string - canImpersonateUser is admin OR agent-worker, never plain RoleUser No production change — this commit only adds tests. Assisted-by: Claude:claude-opus-4-7 [Claude Code] Signed-off-by: Richard Palethorpe <io@richiejp.com> * fix(downloader): drop redundant stat in removePartialFile The stat-then-remove pattern is a TOCTOU window and a wasted syscall — os.Remove already returns ErrNotExist for the missing-file case, so trust that and treat it as a no-op. Assisted-by: Claude:claude-opus-4-7 [Claude Code] Signed-off-by: Richard Palethorpe <io@richiejp.com> * fix(http): redact secrets from trace buffer and distribution-token logs The /api/traces buffer captured Authorization, Cookie, Set-Cookie, and API-key headers verbatim from every request when tracing was enabled. The endpoint is admin-only but the buffer is reachable via any heap-style introspection and the captured tokens otherwise outlive the request. Strip those header values at capture time. Body redaction is left to a follow-up — the prompts are usually the operator's own and JSON-walking is invasive. Distribution tokens were also logged in plaintext from core/explorer/discovery.go; logs forward to syslog/journald and outlive the token. Redact those to a short prefix/suffix instead. Assisted-by: Claude:claude-opus-4-7 [Claude Code] Signed-off-by: Richard Palethorpe <io@richiejp.com> * feat(auth): rate-limit OAuth callbacks separately from password endpoints The shared 5/min/IP limit on auth endpoints is right for password-style flows but too tight for OAuth callbacks: corporate SSO funnels many real users through one outbound IP and would trip the limit. Add a separate 60/min/IP limiter for /api/auth/{github,oidc}/callback so callbacks are bounded against floods without breaking shared-IP deployments. Assisted-by: Claude:claude-opus-4-7 [Claude Code] Signed-off-by: Richard Palethorpe <io@richiejp.com> * feat(gallery): verify backend tarball sha256 when set in gallery entry GalleryBackend gained an optional sha256 field; the install path now threads it through to the existing downloader hash-verify (which already streams, verifies, and rolls back on mismatch). Galleries without sha256 keep working; the empty-SHA path still emits the existing "downloading without integrity check" warning. Assisted-by: Claude:claude-opus-4-7 [Claude Code] Signed-off-by: Richard Palethorpe <io@richiejp.com> * test(http): pin CSRF coverage on multipart endpoints The CSRF middleware in app.go is global (e.Use) so it covers every multipart upload route — branding assets, fine-tune datasets, audio transforms, agent collections. Pin that contract: cross-site multipart POSTs are rejected; same-origin / same-site / API-key clients are not. Also pins the SameSite=Lax fallback path the skipper relies on when Sec-Fetch-Site is absent. Assisted-by: Claude:claude-opus-4-7 [Claude Code] Signed-off-by: Richard Palethorpe <io@richiejp.com> * feat(http): XSS hardening — CSP headers, safe href, base-href escape, SVG sandbox Several closely related XSS-prevention changes spanning the SPA shell, the React UI, and the branding asset server: - New SecurityHeaders middleware sets CSP, X-Content-Type-Options, X-Frame-Options, and Referrer-Policy on every response. The CSP keeps script-src permissive because the Vite bundle relies on inline + eval'd scripts; tightening that requires moving to a nonce-based policy. - The <base href> injection in the SPA shell escaped attacker-controllable Host / X-Forwarded-Host headers — a single quote in the host header broke out of the attribute. Pass through SecureBaseHref (html.EscapeString). - Three React sinks rendering untrusted content via dangerouslySetInnerHTML switch to text-node rendering with whiteSpace: pre-wrap: user message bodies in Chat.jsx and AgentChat.jsx, and the agent activity log in AgentChat.jsx. The hand-rolled escape on the agent user-message variant is replaced by the same plain-text path. - New safeHref util collapses non-allowlisted URI schemes (most importantly javascript:) to '#'. Applied to gallery `<a href={url}>` links in Models / Backends / Manage and to canvas artifact links — these come from gallery JSON or assistant tool calls and must be treated as untrusted. - The branding asset server attaches a sandbox CSP plus same-origin CORP to .svg responses. The React UI loads logos via <img>, but the same URL is also reachable via direct navigation; this prevents script execution if a hostile SVG slipped past upload validation. Assisted-by: Claude:claude-opus-4-7 [Claude Code] Signed-off-by: Richard Palethorpe <io@richiejp.com> * feat(http): bound HTTP server with read-header and idle timeouts A net/http server with no timeouts is trivially Slowloris-able and leaks idle keep-alive connections. Set ReadHeaderTimeout (30s) to plug the slow-headers attack and IdleTimeout (120s) to cap keep-alive sockets. ReadTimeout and WriteTimeout stay at 0 because request bodies can be multi-GB model uploads and SSE / chat completions stream for many minutes; operators who need tighter per-request bounds should terminate slow clients at a reverse proxy. Assisted-by: Claude:claude-opus-4-7 [Claude Code] Signed-off-by: Richard Palethorpe <io@richiejp.com> * test(auth): pin PUT /api/auth/profile field-tampering contract The handler uses an explicit local body struct (only name and avatar_url) plus a gorm Updates(map) with a column allowlist, so an attacker posting {"role":"admin","email":"...","password_hash":"..."} can't mass-assign those fields. Lock that down with a regression test so a future "let's just c.Bind(&user)" refactor breaks loudly. Assisted-by: Claude:claude-opus-4-7 [Claude Code] Signed-off-by: Richard Palethorpe <io@richiejp.com> * fix(services): strip directory components from multipart upload filenames UploadDataset and UploadToCollectionForUser took the raw multipart file.Filename and joined it into a destination path. The fine-tune upload was incidentally safe because of a UUID prefix that fused any leading '..' to a literal segment, but the protection is fragile. UploadToCollectionForUser handed the filename to a vendored backend without sanitising at all. Strip to filepath.Base at both boundaries and reject the trivial unsafe values ("", ".", "..", "/"). Assisted-by: Claude:claude-opus-4-7 [Claude Code] Signed-off-by: Richard Palethorpe <io@richiejp.com> * fix(react-ui): validate persisted MCP server entries on load localStorage is shared across same-origin pages; an XSS that lands once can poison persisted MCP server config to attempt header injection or to feed a non-http URL into the fetch path on subsequent loads. Validate every entry: types must match, URL must parse with http(s) scheme, header keys/values must be control-char-free. Drop anything that doesn't fit. Assisted-by: Claude:claude-opus-4-7 [Claude Code] Signed-off-by: Richard Palethorpe <io@richiejp.com> * fix(http): close X-Forwarded-Prefix open redirect The reverse-proxy support concatenated X-Forwarded-Prefix into the redirect target without validation, so a forged header value of "//evil.com" turned the SPA-shell redirect helper at /, /browse, and /browse/* into a 301 to //evil.com/app. The path-strip middleware had the same shape on its prefix-trailing-slash redirect. Add SafeForwardedPrefix at the middleware boundary: must start with a single '/', no protocol-relative '//' opener, no scheme, no backslash, no control characters. Apply at both consumers; misconfig trips the validator and the header is dropped. Assisted-by: Claude:claude-opus-4-7 [Claude Code] Signed-off-by: Richard Palethorpe <io@richiejp.com> * fix(http): refuse wildcard CORS when LOCALAI_CORS=true with empty allowlist When LOCALAI_CORS=true but LOCALAI_CORS_ALLOW_ORIGINS was empty, Echo's CORSWithConfig saw an empty allow-list and fell back to its default AllowOrigins=["*"]. An operator who flipped the strict-CORS feature flag without populating the list got the opposite of what they asked for. Echo never sets Allow-Credentials: true so this isn't directly exploitable (cookies aren't sent under wildcard CORS), but the misconfiguration trap is worth closing. Skip the registration and warn. Assisted-by: Claude:claude-opus-4-7 [Claude Code] Signed-off-by: Richard Palethorpe <io@richiejp.com> * feat(auth): zxcvbn password strength check with user-acknowledged override The previous policy was len < 8, which let through "Password1" and the rest of the credential-stuffing corpus. LocalAI has no second factor yet, so the bar needs to sit higher. Add ValidatePasswordStrength using github.com/timbutler/zxcvbn (an actively-maintained fork of the trustelem port; v1.0.4, April 2024): - min 12 chars, max 72 (bcrypt's truncation point) - reject NUL bytes (some bcrypt callers truncate at the first NUL) - require zxcvbn score >= 3 ("safely unguessable, ~10^8 guesses to break"); the hint list ["localai", "local-ai", "admin"] penalises passwords built from the app's own branding zxcvbn produces false positives sometimes (a strong-looking password that happens to match a dictionary word) and operators occasionally need to set a known-weak password (kiosk demos, CI rigs). Add an acknowledgement path: PasswordPolicy{AllowWeak: true} skips the entropy check while still enforcing the hard rules. The structured PasswordErrorResponse marks weak-password rejections as Overridable so the UI can surface a "use this anyway" checkbox. Wired through register, self-service password change, and admin password reset on both the server and the React UI. Assisted-by: Claude:claude-opus-4-7 [Claude Code] Signed-off-by: Richard Palethorpe <io@richiejp.com> * fix(react-ui): drop HTML5 minLength on new-password inputs minLength={12} on the new-password input let the browser block the form submit silently before any JS or network call ran. The browser focused the field, showed a brief native tooltip, and that was that — no toast, no fetch, no clue. Reproducible by typing fewer than 12 chars on the second password change of a session. The JS-level length check in handleSubmit already shows a toast and the server rejects with a structured error, so the HTML5 attribute was redundant defence anyway. Drop it. Assisted-by: Claude:claude-opus-4-7 [Claude Code] Signed-off-by: Richard Palethorpe <io@richiejp.com> * fix(react-ui): bundle Geist fonts locally instead of fetching from Google The new CSP correctly refused to apply styles from fonts.googleapis.com because style-src is locked to 'self' and 'unsafe-inline'. Loosening the CSP would defeat its purpose; the right fix is to stop reaching out to a third-party CDN for fonts on every page load. Add @fontsource-variable/geist and @fontsource-variable/geist-mono as npm deps and import them once at boot. Drop the <link rel="preconnect"> and external stylesheet from index.html. Side benefit: no third-party tracking via Referer / IP on every UI load, no failure mode when offline / behind a captive portal. Assisted-by: Claude:claude-opus-4-7 [Claude Code] Signed-off-by: Richard Palethorpe <io@richiejp.com> * fix(react-ui): refresh i18n strings to reflect 12-char password minimum The translations still said "at least 8 characters" everywhere — the client-side toast on a too-short password change told the user the wrong floor. Update tooShort and newPasswordPlaceholder / newPasswordDescription across all five locales (en, es, it, de, zh-CN) to match the real ValidatePasswordStrength rule. Assisted-by: Claude:claude-opus-4-7 [Claude Code] Signed-off-by: Richard Palethorpe <io@richiejp.com> * feat(auth): make password length-floor overridable like the entropy check The 12-char minimum was a policy choice, not a technical invariant — only "non-empty", "<= 72 bytes", and "no NUL bytes" are real bcrypt constraints. Treating length-12 as a hard rule was inconsistent with the entropy check (already overridable) and friction for use cases where the account is just a name on a session, not a security boundary (single-user kiosk, CI rig, lab demo). Restructure ValidatePasswordStrength: - Hard rules (always enforced): non-empty, <= MaxPasswordLength, no NUL byte - Policy rules (skipped when AllowWeak=true): length >= 12, zxcvbn score >= 3 PasswordError now marks password_too_short as Overridable too. The React forms generalised from `error_code === 'password_too_weak'` to `overridable === true`, and the JS-side preflight length checks were removed (server is source of truth, returns the same checkbox flow). Assisted-by: Claude:claude-opus-4-7 [Claude Code] Signed-off-by: Richard Palethorpe <io@richiejp.com> --------- Signed-off-by: Richard Palethorpe <io@richiejp.com>
348 lines
11 KiB
Go
348 lines
11 KiB
Go
package downloader_test
|
|
|
|
import (
|
|
"context"
|
|
"crypto/rand"
|
|
"crypto/sha256"
|
|
"errors"
|
|
"fmt"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"os"
|
|
"path/filepath"
|
|
"regexp"
|
|
"strconv"
|
|
|
|
. "github.com/mudler/LocalAI/pkg/downloader"
|
|
. "github.com/onsi/ginkgo/v2"
|
|
. "github.com/onsi/gomega"
|
|
)
|
|
|
|
var _ = Describe("Gallery API tests", func() {
|
|
Context("URI", func() {
|
|
It("parses github with a branch", func() {
|
|
uri := URI("github:go-skynet/model-gallery/gpt4all-j.yaml")
|
|
Expect(
|
|
uri.ReadWithCallback("", func(url string, i []byte) error {
|
|
Expect(url).To(Equal("https://raw.githubusercontent.com/go-skynet/model-gallery/main/gpt4all-j.yaml"))
|
|
return nil
|
|
}),
|
|
).ToNot(HaveOccurred())
|
|
})
|
|
It("parses github without a branch", func() {
|
|
uri := URI("github:go-skynet/model-gallery/gpt4all-j.yaml@main")
|
|
|
|
Expect(
|
|
uri.ReadWithCallback("", func(url string, i []byte) error {
|
|
Expect(url).To(Equal("https://raw.githubusercontent.com/go-skynet/model-gallery/main/gpt4all-j.yaml"))
|
|
return nil
|
|
}),
|
|
).ToNot(HaveOccurred())
|
|
})
|
|
It("parses github with urls", func() {
|
|
uri := URI("https://raw.githubusercontent.com/go-skynet/model-gallery/main/gpt4all-j.yaml")
|
|
Expect(
|
|
uri.ReadWithCallback("", func(url string, i []byte) error {
|
|
Expect(url).To(Equal("https://raw.githubusercontent.com/go-skynet/model-gallery/main/gpt4all-j.yaml"))
|
|
return nil
|
|
}),
|
|
).ToNot(HaveOccurred())
|
|
})
|
|
})
|
|
|
|
Context("HuggingFace mirror", func() {
|
|
var originalEndpoint string
|
|
|
|
BeforeEach(func() {
|
|
originalEndpoint = HF_ENDPOINT
|
|
})
|
|
|
|
AfterEach(func() {
|
|
HF_ENDPOINT = originalEndpoint
|
|
})
|
|
|
|
It("rewrites direct https://huggingface.co URLs when mirror is set", func() {
|
|
HF_ENDPOINT = "https://hf-mirror.com"
|
|
uri := URI("https://huggingface.co/TheBloke/model-GGUF/resolve/main/model.Q4_K_M.gguf")
|
|
Expect(uri.ResolveURL()).To(Equal("https://hf-mirror.com/TheBloke/model-GGUF/resolve/main/model.Q4_K_M.gguf"))
|
|
})
|
|
|
|
It("does not rewrite direct https://huggingface.co URLs when no mirror is set", func() {
|
|
HF_ENDPOINT = "https://huggingface.co"
|
|
uri := URI("https://huggingface.co/TheBloke/model-GGUF/resolve/main/model.Q4_K_M.gguf")
|
|
Expect(uri.ResolveURL()).To(Equal("https://huggingface.co/TheBloke/model-GGUF/resolve/main/model.Q4_K_M.gguf"))
|
|
})
|
|
|
|
It("rewrites hf:// URIs when mirror is set", func() {
|
|
HF_ENDPOINT = "https://hf-mirror.com"
|
|
uri := URI("hf://TheBloke/model-GGUF/model.Q4_K_M.gguf")
|
|
Expect(uri.ResolveURL()).To(Equal("https://hf-mirror.com/TheBloke/model-GGUF/resolve/main/model.Q4_K_M.gguf"))
|
|
})
|
|
|
|
It("does not rewrite non-huggingface URLs", func() {
|
|
HF_ENDPOINT = "https://hf-mirror.com"
|
|
uri := URI("https://example.com/some/file.gguf")
|
|
Expect(uri.ResolveURL()).To(Equal("https://example.com/some/file.gguf"))
|
|
})
|
|
})
|
|
})
|
|
|
|
var _ = Describe("ContentLength", func() {
|
|
Context("local file", func() {
|
|
It("returns file size for existing file", func() {
|
|
dir, err := os.MkdirTemp("", "contentlength-*")
|
|
Expect(err).ToNot(HaveOccurred())
|
|
defer os.RemoveAll(dir)
|
|
fpath := filepath.Join(dir, "model.gguf")
|
|
err = os.WriteFile(fpath, make([]byte, 1234), 0644)
|
|
Expect(err).ToNot(HaveOccurred())
|
|
uri := URI("file://" + fpath)
|
|
ctx := context.Background()
|
|
size, err := uri.ContentLength(ctx)
|
|
Expect(err).ToNot(HaveOccurred())
|
|
Expect(size).To(Equal(int64(1234)))
|
|
})
|
|
It("returns error for missing file", func() {
|
|
uri := URI("file:///nonexistent/path/model.gguf")
|
|
ctx := context.Background()
|
|
_, err := uri.ContentLength(ctx)
|
|
Expect(err).To(HaveOccurred())
|
|
})
|
|
})
|
|
Context("HTTP", func() {
|
|
It("returns Content-Length when present", func() {
|
|
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
Expect(r.Method).To(Equal("HEAD"))
|
|
w.Header().Set("Content-Length", "1000")
|
|
w.WriteHeader(http.StatusOK)
|
|
}))
|
|
defer server.Close()
|
|
uri := URI(server.URL)
|
|
ctx := context.Background()
|
|
size, err := uri.ContentLength(ctx)
|
|
Expect(err).ToNot(HaveOccurred())
|
|
Expect(size).To(Equal(int64(1000)))
|
|
})
|
|
It("returns error on 404", func() {
|
|
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
w.WriteHeader(http.StatusNotFound)
|
|
}))
|
|
defer server.Close()
|
|
uri := URI(server.URL)
|
|
ctx := context.Background()
|
|
_, err := uri.ContentLength(ctx)
|
|
Expect(err).To(HaveOccurred())
|
|
})
|
|
It("uses Range when Content-Length missing and Accept-Ranges bytes", func() {
|
|
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
if r.Method == "HEAD" {
|
|
w.Header().Set("Accept-Ranges", "bytes")
|
|
w.WriteHeader(http.StatusOK)
|
|
return
|
|
}
|
|
Expect(r.Header.Get("Range")).To(Equal("bytes=0-0"))
|
|
w.Header().Set("Content-Range", "bytes 0-0/5000")
|
|
w.WriteHeader(http.StatusPartialContent)
|
|
}))
|
|
defer server.Close()
|
|
uri := URI(server.URL)
|
|
ctx := context.Background()
|
|
size, err := uri.ContentLength(ctx)
|
|
Expect(err).ToNot(HaveOccurred())
|
|
Expect(size).To(Equal(int64(5000)))
|
|
})
|
|
It("respects context cancellation", func() {
|
|
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
w.Header().Set("Content-Length", "1000")
|
|
w.WriteHeader(http.StatusOK)
|
|
}))
|
|
defer server.Close()
|
|
ctx, cancel := context.WithCancel(context.Background())
|
|
cancel()
|
|
uri := URI(server.URL)
|
|
_, err := uri.ContentLength(ctx)
|
|
Expect(err).To(HaveOccurred())
|
|
Expect(errors.Is(err, context.Canceled)).To(BeTrue())
|
|
})
|
|
})
|
|
})
|
|
|
|
type RangeHeaderError struct {
|
|
msg string
|
|
}
|
|
|
|
func (e *RangeHeaderError) Error() string { return e.msg }
|
|
|
|
var _ = Describe("Download Test", func() {
|
|
var mockData []byte
|
|
var mockDataSha string
|
|
var filePath string
|
|
|
|
extractRangeHeader := func(rangeString string) (int, int, error) {
|
|
regex := regexp.MustCompile(`^bytes=(\d+)-(\d+|)$`)
|
|
matches := regex.FindStringSubmatch(rangeString)
|
|
rangeErr := RangeHeaderError{msg: "invalid / ill-formatted range"}
|
|
if matches == nil {
|
|
return -1, -1, &rangeErr
|
|
}
|
|
startPos, err := strconv.Atoi(matches[1])
|
|
if err != nil {
|
|
return -1, -1, err
|
|
}
|
|
|
|
endPos := -1
|
|
if matches[2] != "" {
|
|
endPos, err = strconv.Atoi(matches[2])
|
|
if err != nil {
|
|
return -1, -1, err
|
|
}
|
|
endPos += 1 // because range is inclusive in rangeString
|
|
}
|
|
return startPos, endPos, nil
|
|
}
|
|
|
|
getMockServer := func(supportsRangeHeader bool) *httptest.Server {
|
|
mockServer := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
if r.Method != "HEAD" && r.Method != "GET" {
|
|
w.WriteHeader(http.StatusNotFound)
|
|
return
|
|
}
|
|
if r.Method == "HEAD" {
|
|
if supportsRangeHeader {
|
|
w.Header().Add("Accept-Ranges", "bytes")
|
|
}
|
|
w.WriteHeader(http.StatusOK)
|
|
return
|
|
}
|
|
// GET method
|
|
startPos := 0
|
|
endPos := len(mockData)
|
|
var err error
|
|
var respData []byte
|
|
rangeString := r.Header.Get("Range")
|
|
if rangeString != "" {
|
|
startPos, endPos, err = extractRangeHeader(rangeString)
|
|
if err != nil {
|
|
if _, ok := err.(*RangeHeaderError); ok {
|
|
w.WriteHeader(http.StatusBadRequest)
|
|
return
|
|
}
|
|
Expect(err).ToNot(HaveOccurred())
|
|
}
|
|
if endPos == -1 {
|
|
endPos = len(mockData)
|
|
}
|
|
if startPos < 0 || startPos >= len(mockData) || endPos < 0 || endPos > len(mockData) || startPos > endPos {
|
|
w.WriteHeader(http.StatusBadRequest)
|
|
return
|
|
}
|
|
}
|
|
respData = mockData[startPos:endPos]
|
|
w.WriteHeader(http.StatusOK)
|
|
w.Write(respData)
|
|
}))
|
|
mockServer.EnableHTTP2 = true
|
|
mockServer.Start()
|
|
return mockServer
|
|
}
|
|
|
|
BeforeEach(func() {
|
|
mockData = make([]byte, 20000)
|
|
_, err := rand.Read(mockData)
|
|
Expect(err).ToNot(HaveOccurred())
|
|
_mockDataSha := sha256.New()
|
|
_, err = _mockDataSha.Write(mockData)
|
|
Expect(err).ToNot(HaveOccurred())
|
|
mockDataSha = fmt.Sprintf("%x", _mockDataSha.Sum(nil))
|
|
dir, err := os.Getwd()
|
|
filePath = dir + "/my_supercool_model"
|
|
Expect(err).NotTo(HaveOccurred())
|
|
})
|
|
|
|
Context("URI DownloadFile", func() {
|
|
It("fetches files from mock server", func() {
|
|
mockServer := getMockServer(true)
|
|
defer mockServer.Close()
|
|
uri := URI(mockServer.URL)
|
|
err := uri.DownloadFile(filePath, mockDataSha, 1, 1, func(s1, s2, s3 string, f float64) {})
|
|
Expect(err).ToNot(HaveOccurred())
|
|
})
|
|
|
|
It("resumes partially downloaded files", func() {
|
|
mockServer := getMockServer(true)
|
|
defer mockServer.Close()
|
|
uri := URI(mockServer.URL)
|
|
// Create a partial file
|
|
tmpFilePath := filePath + ".partial"
|
|
file, err := os.OpenFile(tmpFilePath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644)
|
|
Expect(err).ToNot(HaveOccurred())
|
|
_, err = file.Write(mockData[0:10000])
|
|
Expect(err).ToNot(HaveOccurred())
|
|
err = uri.DownloadFile(filePath, mockDataSha, 1, 1, func(s1, s2, s3 string, f float64) {})
|
|
Expect(err).ToNot(HaveOccurred())
|
|
})
|
|
|
|
It("restarts download from 0 if server doesn't support Range header", func() {
|
|
mockServer := getMockServer(false)
|
|
defer mockServer.Close()
|
|
uri := URI(mockServer.URL)
|
|
// Create a partial file
|
|
tmpFilePath := filePath + ".partial"
|
|
file, err := os.OpenFile(tmpFilePath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644)
|
|
Expect(err).ToNot(HaveOccurred())
|
|
_, err = file.Write(mockData[0:10000])
|
|
Expect(err).ToNot(HaveOccurred())
|
|
err = uri.DownloadFile(filePath, mockDataSha, 1, 1, func(s1, s2, s3 string, f float64) {})
|
|
Expect(err).ToNot(HaveOccurred())
|
|
})
|
|
|
|
// A file that fails its SHA check must not be usable. The historical
|
|
// implementation renamed the temp file to its final path *before*
|
|
// verifying the hash, so a mismatch returned an error but left a
|
|
// tampered file at the destination — the next caller (e.g. a backend
|
|
// launcher) could pick it up and run with it.
|
|
It("does not leave a corrupted file at the destination on SHA mismatch", func() {
|
|
mockServer := getMockServer(true)
|
|
defer mockServer.Close()
|
|
uri := URI(mockServer.URL)
|
|
|
|
// Use a clearly-wrong expected SHA; the server will return real
|
|
// data with a different hash.
|
|
wrongSHA := "0000000000000000000000000000000000000000000000000000000000000000"
|
|
err := uri.DownloadFile(filePath, wrongSHA, 1, 1, func(s1, s2, s3 string, f float64) {})
|
|
Expect(err).To(HaveOccurred())
|
|
Expect(err.Error()).To(ContainSubstring("SHA"))
|
|
|
|
// The file must not exist at the final destination.
|
|
_, statErr := os.Stat(filePath)
|
|
Expect(os.IsNotExist(statErr)).To(BeTrue(),
|
|
"download with wrong SHA left a file at %s — a subsequent caller could load tampered content", filePath)
|
|
})
|
|
|
|
// A download without an expected digest is a supply-chain footgun.
|
|
// The downloader allows it (backend installs pass through here
|
|
// today and don't yet ship a digest) but it is the caller's
|
|
// responsibility to know when integrity is required. The downloader
|
|
// emits a WARN log on every empty-digest download to make this
|
|
// visible at the default log level.
|
|
It("succeeds with empty SHA but emits an integrity warning", func() {
|
|
mockServer := getMockServer(true)
|
|
defer mockServer.Close()
|
|
uri := URI(mockServer.URL)
|
|
|
|
// No assertion on logs (we don't capture xlog output here),
|
|
// but the call must succeed so existing backend installs do
|
|
// not regress.
|
|
err := uri.DownloadFile(filePath, "", 1, 1, func(s1, s2, s3 string, f float64) {})
|
|
Expect(err).ToNot(HaveOccurred())
|
|
_, statErr := os.Stat(filePath)
|
|
Expect(statErr).ToNot(HaveOccurred())
|
|
})
|
|
})
|
|
|
|
AfterEach(func() {
|
|
os.Remove(filePath) // cleanup, also checks existence of filePath`
|
|
os.Remove(filePath + ".partial")
|
|
})
|
|
})
|