Shreyas220 commented on code in PR #676: URL: https://github.com/apache/iceberg-go/pull/676#discussion_r2705885495
########## puffin/puffin_reader.go: ########## @@ -0,0 +1,387 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package puffin + +import ( + "encoding/binary" + "encoding/json" + "errors" + "fmt" + "io" + "sort" +) + +// PuffinReader +// +// Usage: +// +// r, err := puffin.NewPuffinReader(file, fileSize) +// if err != nil { +// return err +// } +// footer, err := r.ReadFooter() +// if err != nil { +// return err +// } +// for i := range footer.Blobs { +// blob, err := r.ReadBlob(i) +// // process blob.Data +// } +type PuffinReader struct { + r io.ReaderAt + size int64 + footer *Footer + footerStart int64 // cached after ReadFooter + maxBlobSize int64 +} + +// BlobData pairs a blob's metadata with its content. +type BlobData struct { + Metadata BlobMetadata + Data []byte +} + +// ReaderOption configures a PuffinReader. +type ReaderOption func(*PuffinReader) + +// WithMaxBlobSize sets the maximum blob size allowed when reading. +// This prevents OOM attacks from malicious files with huge blob lengths. +// Default is DefaultMaxBlobSize (256 MB). +func WithMaxBlobSize(size int64) ReaderOption { + return func(r *PuffinReader) { + r.maxBlobSize = size + } +} + +// NewPuffinReader creates a new Puffin reader. +// It validates both the header and trailing magic bytes upfront. +// The caller is responsible for closing the underlying io.ReaderAt. +func NewPuffinReader(r io.ReaderAt, size int64, opts ...ReaderOption) (*PuffinReader, error) { + if r == nil { + return nil, errors.New("puffin: reader is nil") + } + + // Minimum size: header magic + footer magic + footer trailer + // [Magic] + zero for blob + [Magic] + [FooterPayloadSize (assuming ~0)] + [Flags] + [Magic] + minSize := int64(MagicSize + MagicSize + footerTrailerSize) + if size < minSize { + return nil, fmt.Errorf("puffin: file too small (%d bytes, minimum %d)", size, minSize) + } + + // Validate header magic + var headerMagic [MagicSize]byte + if _, err := r.ReadAt(headerMagic[:], 0); err != nil { + return nil, fmt.Errorf("puffin: read header magic: %w", err) + } + if headerMagic != magic { + return nil, errors.New("puffin: invalid header magic") + } + + // Validate trailing magic (fail fast on corrupt/truncated files) + var trailingMagic [MagicSize]byte + if _, err := r.ReadAt(trailingMagic[:], size-MagicSize); err != nil { + return nil, fmt.Errorf("puffin: read trailing magic: %w", err) + } + if trailingMagic != magic { + return nil, errors.New("puffin: invalid trailing magic") + } + + pr := &PuffinReader{ + r: r, + size: size, + maxBlobSize: DefaultMaxBlobSize, + } + + for _, opt := range opts { + opt(pr) + } + + return pr, nil +} + +// ReadFooter reads and parses the footer from the Puffin file. +// The footer is cached after the first successful read. +func (r *PuffinReader) ReadFooter() (*Footer, error) { + if r.footer != nil { + return r.footer, nil + } + + // Read trailer (last 12 bytes): PayloadSize(4) + Flags(4) + Magic(4) + var trailer [footerTrailerSize]byte + if _, err := r.r.ReadAt(trailer[:], r.size-footerTrailerSize); err != nil { + return nil, fmt.Errorf("puffin: read footer trailer: %w", err) + } + + // Validate trailing magic (already checked in constructor, but be defensive) + if trailer[8] != magic[0] || trailer[9] != magic[1] || + trailer[10] != magic[2] || trailer[11] != magic[3] { + return nil, errors.New("puffin: invalid trailing magic in footer") + } + + // Extract payload size and flags + payloadSize := int64(binary.LittleEndian.Uint32(trailer[0:4])) + flags := binary.LittleEndian.Uint32(trailer[4:8]) + + // Check for compressed footer (unsupported) + if flags&FooterFlagCompressed != 0 { + return nil, errors.New("puffin: compressed footer not supported") + } + + // Check for unknown flags (future-proofing) + if flags&^uint32(FooterFlagCompressed) != 0 { + return nil, fmt.Errorf("puffin: unknown footer flags set: 0x%x", flags) + } Review Comment: I lean more towards erroring out, ignoring flags might lead to unexpected behaviour if we dont understand how to read, we should error out -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
