new index: replaceDeletion

- The previous method of detecting the deletion of PREs involved an arbitrarily long
  scan in the write path. This could have potentially been a DoS vector, since users
  can create an arbitrarily large number of deletion events for their own events.

Author: hoytech

golpe

@@ -10,6 +10,8 @@ features:
     templar: true
 
 includes: |
+    #include "golpe.h"
+    #include "global.h"
     #include "PackedEvent.h"
     #include "EventUtils.h"
 
@@ -47,6 +49,8 @@ tables:
         multi: true
       replace: # pubkey, d-tag, kind
         multi: true
+      replaceDeletion: # hash(a-tag), created_at
+        multi: true
 
     indexPrelude: |
         PackedEventView packed(v.buf);
@@ -69,11 +73,11 @@ tables:
                 }
             } else if (tagName == 'a') {
                 if (packed.kind() == 5) {
-                    try {
+                    try { // parseATag can fail
                         auto [kind, pubkey, dTag] = parseATag(tagVal);
 
                         if (isParamReplaceableKind(kind) && pubkey == packed.pubkey()) {
-                            replace.push_back(makeKey_StringUint64(pubkey + dTag, kind));
+                            replaceDeletion.push_back(makeKey_StringUint64(sha256(tagVal).sv(), packed.created_at()));
                         }
                     } catch(...) {
                     }

golpe.yaml

@@ -1,6 +1,7 @@
 #pragma once
 
 #include <cstring>
+#include <string>
 #include <string_view>
 
 #include "golpe.h"
@@ -14,6 +15,10 @@ struct Bytes32 {
         memcpy(buf, s.data(), 32);
     }
 
+    std::string str() const {
+        return std::string((char*)buf, 32);
+    }
+
     std::string_view sv() const {
         return std::string_view((char*)buf, 32);
     }

src/Bytes32.h

@@ -3,7 +3,8 @@
 #include <string_view>
 #include <string>
 #include <tuple>
-#include <stdexcept>
+
+#include "golpe.h"
 
 
 inline bool isReplaceableKind(uint64_t kind) {
@@ -30,18 +31,18 @@ inline bool isEphemeralKind(uint64_t kind) {
 
 inline std::tuple<uint64_t, std::string, std::string> parseATag(std::string_view input) {
     size_t firstColon = input.find(':');
-    if (firstColon == std::string::npos) throw std::invalid_argument("parse error");
+    if (firstColon == std::string::npos) throw herr("parse error");
 
     std::string_view kindStr = input.substr(0, firstColon);
     size_t pos;
     uint64_t kind = std::stoull(std::string(kindStr), &pos);
-    if (pos != kindStr.size()) throw std::invalid_argument("parse error");
+    if (pos != kindStr.size()) throw herr("parse error");
 
     size_t secondColon = input.find(':', firstColon + 1);
-    if (secondColon == std::string::npos) throw std::invalid_argument("parse error");
+    if (secondColon == std::string::npos) throw herr("parse error");
 
     std::string_view pubkeyStr = input.substr(firstColon + 1, secondColon - firstColon - 1);
-    if (pubkeyStr.size() != 64) throw std::invalid_argument("parse error");
+    if (pubkeyStr.size() != 64) throw herr("parse error");
 
     std::string dTag = std::string(input.substr(secondColon + 1));
 

src/EventUtils.h

@@ -1,4 +1,3 @@
-#include <openssl/sha.h>
 #include <negentropy.h>
 
 #include "events.h"
@@ -23,7 +22,7 @@ std::string nostrJsonToPackedEvent(const tao::json::value &v) {
     uint64_t expiration = 0;
 
     if (isReplaceableKind(kind)) {
-        // Prepend virtual d-tag
+        // Prepend virtual d-tag. Any later d-tags will be ignored during indexing
         tagBuilder.add('d', "");
     }
 
@@ -58,7 +57,7 @@ std::string nostrJsonToPackedEvent(const tao::json::value &v) {
     }
 
     if (isParamReplaceableKind(kind)) {
-        // Append virtual d-tag
+        // Append virtual d-tag. Will be overidden by any previous d-tags.
         tagBuilder.add('d', "");
     }
 
@@ -84,10 +83,7 @@ Bytes32 nostrHash(const tao::json::value &origJson) {
 
     std::string encoded = tao::json::to_string(arr);
 
-    unsigned char hash[SHA256_DIGEST_LENGTH];
-    SHA256(reinterpret_cast<unsigned char*>(encoded.data()), encoded.size(), hash);
-
-    return Bytes32(std::string_view(reinterpret_cast<char*>(hash), SHA256_DIGEST_LENGTH));
+    return sha256(encoded);
 }
 
 bool verifySig(secp256k1_context* ctx, std::string_view sig, std::string_view hash, std::string_view pubkey) {
@@ -280,50 +276,52 @@ void writeEvents(lmdb::txn &txn, NegentropyFilterCache &neFilterCache, std::vect
                 continue;
             }
 
-            {
+            if (isReplaceableKind(packed.kind()) || isParamReplaceableKind(packed.kind())) {
                 std::optional<std::string> replace;
 
-                if (isReplaceableKind(packed.kind()) || isParamReplaceableKind(packed.kind())) {
-                    packed.foreachTag([&](char tagName, std::string_view tagVal){
-                        if (tagName != 'd') return true;
-                        replace = std::string(tagVal);
-                        return false;
-                    });
-                }
+                packed.foreachTag([&](char tagName, std::string_view tagVal){
+                    if (tagName != 'd') return true;
+                    replace = std::string(tagVal);
+                    return false;
+                });
 
                 if (replace) {
                     auto searchStr = std::string(packed.pubkey()) + *replace;
                     auto searchKey = makeKey_StringUint64(searchStr, packed.kind());
 
+                    // Check if there is a newer event in the DB, or an older event to replace
+
                     env.generic_foreachFull(txn, env.dbi_Event__replace, searchKey, lmdb::to_sv<uint64_t>(MAX_U64), [&](auto k, auto v) {
                         if (k != searchKey) return false;
 
                         auto otherEv = lookupEventByLevId(txn, lmdb::from_sv<uint64_t>(v));
                         auto otherPacked = PackedEventView(otherEv.buf);
 
                         if (isEventABeforeEventB(packed, otherPacked)) {
-                            ev.status = otherPacked.kind() == 5 ? EventWriteStatus::Deleted : EventWriteStatus::Replaced;
-                            return false; // found more recent replacement event, no need to scan more
+                            ev.status = EventWriteStatus::Replaced;
+                        } else {
+                            if (logLevel >= 1) LI << "Deleting event (d-tag). id=" << to_hex(otherPacked.id());
+                            levIdsToDelete.push_back(otherEv.primaryKeyId);
                         }
 
-                        return true;
+                        return false;
                     }, true);
 
-                    // If event is accepted (pending write), then do a second pass to remove/unindex outdated events
+                    // If param-replaceable event is still accepted (pending write), check if there is a more recent deletion
 
-                    if (ev.status == EventWriteStatus::Pending) {
-                        env.generic_foreachFull(txn, env.dbi_Event__replace, searchKey, lmdb::to_sv<uint64_t>(MAX_U64), [&](auto k, auto v) {
-                            if (k != searchKey) return false;
+                    if (isParamReplaceableKind(packed.kind()) && ev.status == EventWriteStatus::Pending) {
+                        auto searchStr = sha256(std::to_string(packed.kind()) + ":" + to_hex(packed.pubkey()) + ":" + *replace).str();
+                        auto searchKey = makeKey_StringUint64(searchStr, MAX_U64);
 
-                            auto otherEv = lookupEventByLevId(txn, lmdb::from_sv<uint64_t>(v));
-                            auto otherPacked = PackedEventView(otherEv.buf);
+                        env.generic_foreachFull(txn, env.dbi_Event__replaceDeletion, searchKey, lmdb::to_sv<uint64_t>(MAX_U64), [&](auto k, auto v) {
+                            ParsedKey_StringUint64 parsedKey(k);
+                            if (parsedKey.s != searchStr) return false;
 
-                            if (otherPacked.kind() != 5) {
-                                if (logLevel >= 1) LI << "Deleting event (d-tag). id=" << to_hex(otherPacked.id());
-                                levIdsToDelete.push_back(otherEv.primaryKeyId);
+                            if (parsedKey.n >= packed.created_at()) {
+                                ev.status = EventWriteStatus::Deleted;
                             }
 
-                            return true;
+                            return false;
                         }, true);
                     }
                 }
@@ -351,14 +349,12 @@ void writeEvents(lmdb::txn &txn, NegentropyFilterCache &neFilterCache, std::vect
                                     auto otherEv = lookupEventByLevId(txn, lmdb::from_sv<uint64_t>(v));
                                     auto otherPacked = PackedEventView(otherEv.buf);
 
-                                    if (isEventABeforeEventB(otherPacked, packed)) {
-                                        if (otherPacked.kind() != 5) {
-                                            if (logLevel >= 1) LI << "Deleting replaceable event (kind 5). id=" << to_hex(otherPacked.id());
-                                            levIdsToDelete.push_back(otherEv.primaryKeyId);
-                                        }
+                                    if (otherPacked.created_at() <= packed.created_at()) {
+                                        if (logLevel >= 1) LI << "Deleting replaceable event (kind 5). id=" << to_hex(otherPacked.id());
+                                        levIdsToDelete.push_back(otherEv.primaryKeyId);
                                     }
 
-                                    return true;
+                                    return false;
                                 }, true);
                             }
                         } catch(...) {

src/events.cpp

@@ -7,8 +7,10 @@ using namespace phmap;
 
 
 #include "constants.h"
+#include "Bytes32.h"
 
 
+Bytes32 sha256(std::string_view inp);
 std::string renderIP(std::string_view ipBytes);
 std::string renderSize(uint64_t si);
 std::string renderPercent(double p);

src/global.h

@@ -9,9 +9,20 @@
 #include <algorithm>
 #include <string>
 
+#include <openssl/sha.h>
+
 #include "golpe.h"
 
 
+
+
+Bytes32 sha256(std::string_view inp) {
+    unsigned char hash[SHA256_DIGEST_LENGTH];
+    SHA256(reinterpret_cast<const unsigned char*>(inp.data()), inp.size(), hash);
+
+    return Bytes32(std::string_view(reinterpret_cast<const char*>(hash), SHA256_DIGEST_LENGTH));
+}
+
 std::string renderIP(std::string_view ipBytes) {
     char buf[128];
 

src/misc.cpp

@@ -164,28 +164,48 @@
 
 
 
+
 doTest({
-    desc => "Deletion by a-tag",
+    desc => "Deletion by a-tag, same event blocked",
     events => [
         qq{--sec $ids->[0]->{sec} --content "hi" --kind 30000 --created-at 5000 --tag d "hello"},
-        qq{--sec $ids->[0]->{sec} --content "hi" --kind 30000 --created-at 5000 --tag d "blah"},
-        qq{--sec $ids->[0]->{sec} --content "hi" --kind 30000 --created-at 5000 --tag d "whatever"},
-        qq{--sec $ids->[0]->{sec} --content "hi" --kind 30001 --created-at 5000 --tag d "whatever"},
-        qq{--sec $ids->[1]->{sec} --content "hi" --kind 30000 --created-at 5000 --tag d "whatever"},
-        qq{--sec $ids->[0]->{sec} --content "blah" --kind 5 --created-at 6000 --tag a "30000:$ids->[0]->{pub}:hello" --tag a "30000:$ids->[0]->{pub}:whatever" --tag a "30000:$ids->[0]->{pub}:stuff"},
+        qq{--sec $ids->[0]->{sec} --content "blah" --kind 5 --created-at 6000 --tag a "30000:$ids->[0]->{pub}:hello"},
+        qq{--sec $ids->[0]->{sec} --content "hi" --kind 30000 --created-at 5000 --tag d "hello"}, # blocked
     ],
-    verify => [ 1, 3, 4, 5, ],
+    verify => [ 1, ],
 });
 
 doTest({
-    desc => "Deletion by a-tag, can re-add later event",
+    desc => "Deletion by a-tag, earlier event blocked",
     events => [
         qq{--sec $ids->[0]->{sec} --content "hi" --kind 30000 --created-at 5000 --tag d "hello"},
         qq{--sec $ids->[0]->{sec} --content "blah" --kind 5 --created-at 6000 --tag a "30000:$ids->[0]->{pub}:hello"},
-        qq{--sec $ids->[0]->{sec} --content "hi" --kind 30000 --created-at 5500 --tag d "hello"}, ## before deletion: can't add
-        qq{--sec $ids->[0]->{sec} --content "hi" --kind 30000 --created-at 6500 --tag d "hello"}, ## after deletion: can add
+        qq{--sec $ids->[0]->{sec} --content "hi" --kind 30000 --created-at 5500 --tag d "hello"}, # blocked
     ],
-    verify => [ 1, 3, ],
+    verify => [ 1, ],
+});
+
+doTest({
+    desc => "Deletion by a-tag, later event OK",
+    events => [
+        qq{--sec $ids->[0]->{sec} --content "hi" --kind 30000 --created-at 5000 --tag d "hello"},
+        qq{--sec $ids->[0]->{sec} --content "blah" --kind 5 --created-at 6000 --tag a "30000:$ids->[0]->{pub}:hello"},
+        qq{--sec $ids->[0]->{sec} --content "hi" --kind 30000 --created-at 6500 --tag d "hello"}, ## after deletion: OK
+    ],
+    verify => [ 1, 2, ],
+});
+
+doTest({
+    desc => "Deletion by a-tag, multiple tags",
+    events => [
+        qq{--sec $ids->[0]->{sec} --content "hi" --kind 30000 --created-at 5000 --tag d "hello"},
+        qq{--sec $ids->[0]->{sec} --content "hi" --kind 30000 --created-at 5000 --tag d "blah"},
+        qq{--sec $ids->[0]->{sec} --content "hi" --kind 30000 --created-at 5000 --tag d "whatever"},
+        qq{--sec $ids->[0]->{sec} --content "hi" --kind 30001 --created-at 5000 --tag d "whatever"},
+        qq{--sec $ids->[1]->{sec} --content "hi" --kind 30000 --created-at 5000 --tag d "whatever"},
+        qq{--sec $ids->[0]->{sec} --content "blah" --kind 5 --created-at 6000 --tag a "30000:$ids->[0]->{pub}:hello" --tag a "30000:$ids->[0]->{pub}:whatever" --tag a "30000:$ids->[0]->{pub}:stuff"},
+    ],
+    verify => [ 1, 3, 4, 5, ],
 });
 
 doTest({