Skip to content

Comments

docs: add paragraph describing HAMT fanout limit#507

Closed
achingbrain wants to merge 2 commits intomainfrom
docs/mention-hamt-fanout-limit
Closed

docs: add paragraph describing HAMT fanout limit#507
achingbrain wants to merge 2 commits intomainfrom
docs/mention-hamt-fanout-limit

Conversation

@achingbrain
Copy link
Member

@achingbrain achingbrain commented Jun 16, 2025
edited
Loading

I came across this comment in the boxo source code.

It's worth documenting this constant so other implementations don't expose themselves to GHSA-q264-w97q-q778 accidentally.

Refs: ipshipyard/roadmaps#16

@github-actions
Copy link

github-actions bot commented Jun 16, 2025

🚀 Build Preview on IPFS ready

@achingbrain
Copy link
Member Author

achingbrain commented Jun 17, 2025

Looks like lots of bits of the spec fail the linter

lidel added a commit to Jorropo/specs that referenced this pull request Aug 23, 2025
@lidel
docs: add HAMT fanout security limit
28b6a14 
incorporate CVE-2023-23625 vulnerability details from ipfs#507
- enforce maximum fanout of 1024 to prevent DoS attacks
- add security warning with links to CVE and GHSA advisory
@lidel
Copy link
Member

lidel commented Aug 23, 2025
edited
Loading

Thank you @achingbrain!
I've incorporated this security warning into HAMT section in #331 (28b6a14) that will supersede the old spec modified here.

Boxo seems to already enforce limit of max 1024 (maximumHamtWidth = 1 << 10) so went with that in the spec (better safe than sorry).

@lidel lidel closed this Aug 23, 2025
@lidel lidel deleted the docs/mention-hamt-fanout-limit branch August 23, 2025 23:12
@lidel lidel mentioned this pull request Dec 1, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@achingbrain @lidel