fix(gw): entity-bytes with negative indexes beyond file size (#523)

* fix(gateway): bound negative indexes to size of file
* fix: adjust negative to when from is negative too
* chore: [email protected]

https://github.com/ipfs/gateway-conformance/releases/tag/v0.5.0

---------

Co-authored-by: Marcin Rataj <[email protected]>

Author: hannahhoward

.github/workflows/gateway-conformance.yml

@@ -16,18 +16,18 @@ jobs:
     steps:
       # 1. Download the gateway-conformance fixtures
       - name: Download gateway-conformance fixtures
-        uses: ipfs/gateway-conformance/.github/actions/extract-fixtures@v0.4
+        uses: ipfs/gateway-conformance/.github/actions/extract-fixtures@v0.5
         with:
           output: fixtures
           merged: true
 
       # 2. Build the car-gateway
       - name: Setup Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v4
         with:
           go-version: 1.21.x
       - name: Checkout boxo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           path: boxo
       - name: Build car-gateway
@@ -40,7 +40,7 @@ jobs:
 
       # 4. Run the gateway-conformance tests
       - name: Run gateway-conformance tests
-        uses: ipfs/gateway-conformance/.github/actions/test@v0.4
+        uses: ipfs/gateway-conformance/.github/actions/test@v0.5
         with:
           gateway-url: http://127.0.0.1:8040
           json: output.json

CHANGELOG.md

@@ -24,7 +24,10 @@ The following emojis are used to highlight certain changes:
 
 ### Removed
 
-- 🛠 `gateway`: the header configuration `Config.Headers` and `AddAccessControlHeaders` has been replaced by the new middleware provided by `NewHeaders`.
+### Fixed
+
+- 🛠 `boxo/gateway`: when making a trustless CAR request with the "entity-bytes" parameter, using a negative index greater than the underlying entity length could trigger reading more data than intended
+- 🛠 `boxo/gateway`: the header configuration `Config.Headers` and `AddAccessControlHeaders` has been replaced by the new middleware provided by `NewHeaders`.
 
 ### Security
 

gateway/blocks_backend.go

@@ -508,6 +508,9 @@ func walkGatewaySimpleSelector(ctx context.Context, p path.ImmutablePath, params
 					return err
 				}
 				from = fileLength + entityRange.From
+				if from < 0 {
+					from = 0
+				}
 				foundFileLength = true
 			}
 
@@ -521,13 +524,15 @@ func walkGatewaySimpleSelector(ctx context.Context, p path.ImmutablePath, params
 			}
 
 			to := *entityRange.To
-			if (*entityRange.To) < 0 && !foundFileLength {
-				fileLength, err = f.Seek(0, io.SeekEnd)
-				if err != nil {
-					return err
+			if (*entityRange.To) < 0 {
+				if !foundFileLength {
+					fileLength, err = f.Seek(0, io.SeekEnd)
+					if err != nil {
+						return err
+					}
+					foundFileLength = true
 				}
 				to = fileLength + *entityRange.To
-				foundFileLength = true
 			}
 
 			numToRead := 1 + to - from