pull-hook: ensure facts are not malicious

Ensure that the resource from the wire, the resource for the update match up. Also ensure that the source ship and the ship that is being pulled from for the resource match up. Without this, a host of a graph could send updates for graphs that they do not hosts, and these would be unconditionally forwarded, allowing malicious hosts to overwrite graphs that they do not host.
2025-01-02 20:15:27 +03:00 · 2021-01-14 09:36:58 +10:00 · 2021-01-14 09:36:58 +10:00 · e83efcb932
commit e83efcb932
parent 478e45d373
1 changed files with 11 additions and 2 deletions
--- a/pkg/arvo/lib/pull-hook.hoon
+++ b/pkg/arvo/lib/pull-hook.hoon
@ -285,7 +285,7 @@
            (on-agent:og wire sign)
          [cards this]
        :_  this
-        ~[(update-store:hc q.cage.sign)]
+        ~[(update-store:hc rid q.cage.sign)]
      ==
      ++  on-leave
        |=  =path
@ -424,15 +424,24 @@
      /helper/pull-hook
    wire
  ::
+  ++  get-conversion
+    .^  tube:clay
+      %cc  (scot %p our.bowl)  %home  (scot %da now.bowl)
+      /[update-mark.config]/resource
+    ==
+  ::
  ++  give-update
    ^-  card
    [%give %fact ~[/tracking] %pull-hook-update !>(tracking)]
  ::
  ++  update-store
-    |=  =vase
+    |=  [wire-rid=resource =vase]
    ^-  card
    =/  =wire
      (make-wire /store)
+    =+  !<(rid=resource (get-conversion vase))
+    ?>  =(src.bowl (~(got by tracking) rid))
+    ?>  =(wire-rid rid)
    [%pass wire %agent [our.bowl store-name.config] %poke update-mark.config vase]
  --
 --