Impact
go-ipfs nodes with versions 0.10.0, 0.11.0, 0.12.0, or 0.12.1 can crash when trying to traverse certain malformed graphs due to an issue in the go-codec-dagpb dependency. Vulnerable nodes that work with these malformed graphs may crash leading to denial-of-service risks.
This particularly impacts nodes that download or export data that is controlled by external user input as there is the possibility that a malicious user of those services could (intentionally or unintentionally) cause the node to traverse a malformed graph. Some notable use cases include public gateways and pinning services which fetch data on behalf of users, as well as applications such as IPFS Companion which load data based on a user visiting a website with links to IPFS URLs.
Patches
Versions v0.11.1 and v0.12.2 both resolve this issue. This should make it easy to upgrade, even if you have not yet performed the v0.12.0 migration.
For those running on forked versions of go-ipfs or who are on v0.10.0 and are having trouble with the v0.11.0 breaking changes, simply updating the version of go-codec-dagpb
you are using to >=v1.3.2 should resolve the issue.
Any users of libraries within the go-ipfs ecosystem, even if not the go-ipfs package or binary itself, may be affected and should upgrade their dependency on go-codec-dagpb. You can check if your Go module has a dependency on go-codec-dagpb
by running a command such as go mod graph | grep go-codec-dagpb
in your module root.
Workarounds
The best way to workaround this issue is to control exposure to any endpoints that allow for arbitrary IPLD traversals. This primarily includes the HTTP RPC API (https://docs.ipfs.io/reference/http/api ) and the Gateway API. If you are exposing those APIs, then do so within an environment where only trusted users and applications you control have access to it. You should be safe as long as your users and applications do not create malformed graphs, which should not happen using standard go-ipfs
tooling.
If you previously had a more open access environment, then closing off access will only be sufficient if both of the following are true:
- The experimental GraphSync feature is disabled (https://github.com/ipfs/go-ipfs/blob/master/docs/experimental-features.md#graphsync)
- The only data being accessed is non-malformed data
References
See also the go-codec-dagpb security advisory.
For more information
If you have any questions or comments about this advisory:
- Ask in IPFS Discord #ipfs-chatter
- Open an issue in go-ipfs
References