put object with custom meta; enforce size limit

alex-aizman · alex-aizman · commit 45272ceef6e8 · 2025-12-27T20:32:50.000-05:00
* fix copying multi-value headers
* enforce 2KiB total size limit for custom keys

Signed-off-by: Alex Aizman &lt;alex.aizman@gmail.com&gt;
diff --git a/ais/tgtobj.go b/ais/tgtobj.go
@@ -145,15 +145,18 @@ type (
 //
 
 // poi.restful entry point
-func (poi *putOI) do(resphdr http.Header, r *http.Request, dpq *dpq) (int, error) {
-	{
-		poi.oreq = r
-		poi.r = r.Body
-		poi.resphdr = resphdr
-		poi.workFQN = poi.lom.GenFQN(fs.WorkCT, fs.WorkfilePut)
-		poi.cksumToUse = poi.lom.ObjAttrs().FromHeader(r.Header)
-		poi.owt = cmn.OwtPut // default
+func (poi *putOI) do(resphdr http.Header, r *http.Request, dpq *dpq) (_ int, err error) {
+	poi.oreq = r
+	poi.r = r.Body
+	poi.resphdr = resphdr
+	poi.workFQN = poi.lom.GenFQN(fs.WorkCT, fs.WorkfilePut)
+	poi.owt = cmn.OwtPut // default
+
+	oah := poi.lom.ObjAttrs()
+	if poi.cksumToUse, err = oah.FromHeader(r.Header); err != nil {
+		return 0, err
 	}
+
 	if dpq.sys.owt != "" {
 		poi.owt.FromS(dpq.sys.owt)
 	}
@@ -1085,8 +1088,14 @@ func (goi *getOI) getFromNeighbor(lom *core.LOM, tsi *meta.Snode) bool {
 		return false
 	}
 
-	cksumToUse := lom.ObjAttrs().FromHeader(resp.Header)
+	oah := lom.ObjAttrs()
+	cksumToUse, err := oah.FromHeader(resp.Header)
+	if err != nil { // unlikely
+		debug.AssertNoErr(err)
+		nlog.Errorln("invalid obj attrs from neighbor:", err)
+	}
 	workFQN := lom.GenFQN(fs.WorkCT, fs.WorkfileRemote)
+
 	poi := allocPOI()
 	{
 		poi.t = goi.t
diff --git a/api/object.go b/api/object.go
@@ -18,6 +18,7 @@ import (
 	"github.com/NVIDIA/aistore/api/apc"
 	"github.com/NVIDIA/aistore/cmn"
 	"github.com/NVIDIA/aistore/cmn/cos"
+	"github.com/NVIDIA/aistore/cmn/debug"
 
 	jsoniter "github.com/json-iterator/go"
 )
@@ -176,7 +177,9 @@ func (oah *ObjAttrs) Size() int64 {
 }
 
 func (oah *ObjAttrs) Attrs() (out cmn.ObjAttrs) {
-	out.Cksum = out.FromHeader(oah.wrespHeader)
+	var err error
+	out.Cksum, err = out.FromHeader(oah.wrespHeader)
+	debug.AssertNoErr(err)
 	return out
 }
 
@@ -451,7 +454,11 @@ func headobj(reqParams *ReqParams, noprops bool) (*cmn.ObjectProps, error) {
 
 	// first, cnm.ObjAttrs (compare with `t.objHead`)
 	op := &cmn.ObjectProps{}
-	op.Cksum = op.ObjAttrs.FromHeader(hdr)
+	op.Cksum, err = op.ObjAttrs.FromHeader(hdr)
+	if err != nil {
+		debug.AssertNoErr(err)
+		return nil, err
+	}
 
 	// second, all the rest
 	err = cmn.IterFields(op, func(tag string, field cmn.IterField) (error, bool) {
diff --git a/cmn/http.go b/cmn/http.go
@@ -8,6 +8,7 @@ package cmn
 import (
 	"fmt"
 	"io"
+	"maps"
 	"net/http"
 	"os"
 	"path/filepath"
@@ -171,15 +172,9 @@ func WriteErrJSON(w http.ResponseWriter, r *http.Request, out any, err error) er
 	return err
 }
 
-// Copies headers from original request(from client) to
-// a new one(inter-cluster call)
-func CopyHeaders(dst, src http.Header) {
-	for k, values := range src {
-		for _, v := range values {
-			dst.Set(k, v)
-		}
-	}
-}
+// shallow copy http headers
+// inlining but keeping it for now (to maybe add checks if need be)
+func CopyHeaders(dst, src http.Header) { maps.Copy(dst, src) }
 
 func ParseReadHeaderTimeout() (_ time.Duration, isSet bool) {
 	val := os.Getenv(apc.EnvReadHeaderTimeout)
diff --git a/cmn/objattrs.go b/cmn/objattrs.go
@@ -44,9 +44,13 @@ const (
 	OrigFntl = "orig_fntl"
 )
 
+const (
+	maxSizeCustomKVs = 2 * cos.KiB
+)
+
 // object properties
-// NOTE: embeds system `ObjAttrs` that in turn includes custom user-defined
-// NOTE: compare with `apc.LsoMsg`
+// embeds system `ObjAttrs` that in turn includes custom user-defined
+// (compare with `apc.LsoMsg`)
 type ObjectProps struct {
 	Bck Bck `json:"bucket"`
 	ObjAttrs
@@ -231,8 +235,9 @@ func ToHeader(oah cos.OAH, hdr http.Header, size int64, cksums ...*cos.Cksum) {
 	}
 }
 
-// NOTE: returning checksum separately for subsequent validation
-func (oa *ObjAttrs) FromHeader(hdr http.Header) (cksum *cos.Cksum) {
+// return checksum separately for subsequent validation
+// parse and set custom metadata, if available
+func (oa *ObjAttrs) FromHeader(hdr http.Header) (cksum *cos.Cksum, err error) {
 	if ty := hdr.Get(apc.HdrObjCksumType); ty != "" {
 		val := hdr.Get(apc.HdrObjCksumVal)
 		cksum = cos.NewCksum(ty, val)
@@ -251,13 +256,37 @@ func (oa *ObjAttrs) FromHeader(hdr http.Header) (cksum *cos.Cksum) {
 	if v := hdr.Get(apc.HdrObjVersion); v != "" {
 		oa.Ver = &v
 	}
-	custom := hdr[http.CanonicalHeaderKey(apc.HdrObjCustomMD)]
-	for _, v := range custom {
-		entry := strings.SplitN(v, "=", 2)
-		debug.Assert(len(entry) == 2)
-		oa.SetCustomKey(entry[0], entry[1])
+
+	// custom metadata: total size limited
+	if custom, ok := hdr[apc.HdrObjCustomMD]; ok {
+		var (
+			size int
+			keys = make([]string, 0, 10)
+		)
+		for _, kvs := range custom {
+			kv := strings.SplitN(kvs, "=", 2)
+			if len(kv) != 2 {
+				oa._undoCustom(keys)
+				return nil, fmt.Errorf("custom metadata: invalid format %q (expecting key=value)", kvs)
+			}
+			size += len(kv[0]) + len(kv[1])
+			if size > maxSizeCustomKVs {
+				oa._undoCustom(keys)
+				return nil, fmt.Errorf("custom metadata: total size exceeds %d bytes", maxSizeCustomKVs)
+			}
+			oa.SetCustomKey(kv[0], kv[1])
+			keys = append(keys, kv[0])
+		}
+	}
+	return cksum, nil
+}
+
+// by implication, prior to FromHeader call obj attrs are not supposed to contain any custom keys,
+// or at least not those that could've been overwritten
+func (oa *ObjAttrs) _undoCustom(keys []string) {
+	for i := len(keys) - 1; i >= 0; i-- {
+		oa.DelCustomKey(keys[i])
 	}
-	return
 }
 
 // local <=> remote equality in the context of cold-GET and download. This function
