Skip to content

Fix: validate multihash in CIDv0 constructor#74

Merged
seetadev merged 3 commits into
ipld:masterfrom
sumanjeet0012:fix-63-cidv0-multihash-validation
Jul 13, 2026
Merged

Fix: validate multihash in CIDv0 constructor#74
seetadev merged 3 commits into
ipld:masterfrom
sumanjeet0012:fix-63-cidv0-multihash-validation

Conversation

@sumanjeet0012

@sumanjeet0012 sumanjeet0012 commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

Closes #63

Description

This PR fixes issue #63 by adding validation to the CIDv0 constructor to ensure the provided multihash uses the sha2-256 algorithm and has a 32-byte digest, as required by the CID specification.

Changes

  • Updated CIDv0.__init__ to decode and validate the multihash code (must be 0x12 for sha2-256) and length (must be 32). Raises a ValueError if the multihash is invalid.
  • Added tests test_cidv0_rejects_non_sha256 and test_cidv0_rejects_truncated_digest in tests/test_cid.py.
  • Fixed existing tests in test_cid.py and test_new_features.py that were improperly creating CIDv0 objects using non-compliant hashes or raw byte strings (which now fail due to the new strict validation).

@sumanjeet0012
sumanjeet0012 force-pushed the fix-63-cidv0-multihash-validation branch from 5d1e9f4 to 5ed18b1 Compare July 12, 2026 16:03
@sumanjeet0012
sumanjeet0012 force-pushed the fix-63-cidv0-multihash-validation branch from bfe9ff5 to 76d1c8b Compare July 12, 2026 18:53
@seetadev

Copy link
Copy Markdown
Contributor

@sumanjeet0012 : Excellent work on this PR.

Wish to share that I particularly like that you not only implemented the validation logic in CIDv0.__init__, but also added targeted regression tests covering unsupported hash algorithms and truncated digests, while updating the existing test suite to use specification-compliant inputs. That makes the change both robust and maintainable, and helps prevent future regressions.

It is also great to see that 23 out of 24 CI checks are already passing across multiple Python versions and Windows. The remaining documentation check appears to be an environment/configuration issue (docs extras not found) rather than a problem with the validation logic itself, so it should be straightforward to resolve. Overall, this is a clean, well-scoped contribution that improves standards compliance, input validation, and interoperability across the IPLD ecosystem.

Sharing the logs of 1 CI/CD issue, which can be resolved quickly.

Run python -m tox run -r
.pkg: remove tox env folder /home/runner/work/py-cid/py-cid/.tox/.pkg
docs: failed with extras not found for package py-cid: - (available: dev)
docs: FAIL code 1 (0.20 seconds)
evaluation failed :( (0.74 seconds)
Error: Process completed with exit code 1.

Good job, and thank you for putting together such a thoughtful fix along with comprehensive test coverage.

@acul71: We will do a py-cid release this Wednesday once this PR and others are ready for merge.

CCing @johannamoran and @mishmosh.

@sumanjeet0012 sumanjeet0012 changed the title Fix: validate multihash in CIDv0 constructor (fixes #63) Fix: validate multihash in CIDv0 constructor Jul 13, 2026
@seetadev

Copy link
Copy Markdown
Contributor

LGTM :)

@seetadev
seetadev merged commit 9e19a19 into ipld:master Jul 13, 2026
24 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

CIDv0 constructor doesn't validate multihash — accepts any hash type

2 participants