httpsync uses the IPLD write opener to write the fetched content and committer to store the link to the content. The trouble is using the committer directly will not verify that the digest matches the written content.
Compute the digest of downloaded content and check that it matches the given CID before persisting.
Be aware of incorrect DagJSON usage; for example the CIDs advertised by nft.storage use digest of raw response content instead of following the serialisation specification prior to calculating the digest. Therefore, we do need specific code branches to also accept digests calculated directly from response body ignoring the CID codec.
httpsyncuses the IPLD write opener to write the fetched content and committer to store the link to the content. The trouble is using the committer directly will not verify that the digest matches the written content.Compute the digest of downloaded content and check that it matches the given CID before persisting.
Be aware of incorrect DagJSON usage; for example the CIDs advertised by nft.storage use digest of raw response content instead of following the serialisation specification prior to calculating the digest. Therefore, we do need specific code branches to also accept digests calculated directly from response body ignoring the CID codec.