fix(gateway): prevent blocked CIDs in CAR responses

The gateway was including blocked CIDs in CAR format responses,
bypassing content filtering policies.

The fix separates the DAGService usage in GetCAR:
- nodeGetterToCarExporer continues wrapping for path resolution
- Original dagService is now used for blockOpener during traversal
- blockOpener returns traversal.SkipMe{} ONLY for blocked content
- NotFound errors are properly propagated (not skipped)

This ensures blocked content is filtered from CAR responses while
properly failing when blocks are genuinely missing (broken DAG).

Closes ipfs/kubo#10361

Author: lidel

CHANGELOG.md

@@ -22,6 +22,8 @@ The following emojis are used to highlight certain changes:
 
 ### Fixed
 
+- `gateway`: Fixed CAR responses including blocked content. The gateway now properly filters out blocked CIDs from CAR format responses, ensuring content filtering policies are enforced across all response formats. ([ipfs/kubo#10361](https://github.com/ipfs/kubo/issues/10361))
+
 ### Security
 
 

gateway/backend_blocks.go

@@ -391,10 +391,14 @@ func (bb *BlocksBackend) GetCAR(ctx context.Context, p path.ImmutablePath, param
 			return ContentPathMetadata{}, nil, err
 		}
 
-		blockGetter := merkledag.NewDAGService(bb.blockService).Session(ctx)
-
-		blockGetter = &nodeGetterToCarExporer{
-			ng: blockGetter,
+		// Create a DAGService that uses the blocking-aware BlockService.
+		// When a CID is blocked, the underlying BlockService returns an error.
+		dagService := merkledag.NewDAGService(bb.blockService).Session(ctx)
+
+		// Wrap the DAGService to write blocks to CAR as they're fetched.
+		// This wrapper is used by the path resolver to fetch intermediate blocks.
+		blockGetter := &nodeGetterToCarExporer{
+			ng: dagService,
 			cw: cw,
 		}
 
@@ -434,10 +438,14 @@ func (bb *BlocksBackend) GetCAR(ctx context.Context, p path.ImmutablePath, param
 			return
 		}
 
-		blockGetter := merkledag.NewDAGService(bb.blockService).Session(ctx)
+		// Create a DAGService that uses the blocking-aware BlockService.
+		// When a CID is blocked, the underlying BlockService returns an error.
+		dagService := merkledag.NewDAGService(bb.blockService).Session(ctx)
 
-		blockGetter = &nodeGetterToCarExporer{
-			ng: blockGetter,
+		// Wrap the DAGService to write blocks to CAR as they're fetched.
+		// This wrapper is used by the path resolver to fetch intermediate blocks.
+		blockGetter := &nodeGetterToCarExporer{
+			ng: dagService,
 			cw: cw,
 		}
 
@@ -447,7 +455,15 @@ func (bb *BlocksBackend) GetCAR(ctx context.Context, p path.ImmutablePath, param
 
 		lsys := cidlink.DefaultLinkSystem()
 		unixfsnode.AddUnixFSReificationToLinkSystem(&lsys)
-		lsys.StorageReadOpener = blockOpener(ctx, blockGetter)
+		// CRITICAL: Use the original dagService for blockOpener, not the wrapped nodeGetterToCarExporer.
+		// This separation ensures that:
+		// 1. blockOpener checks if blocks are accessible (through blocking-aware BlockService)
+		// 2. Only non-blocked content triggers CAR writing in nodeGetterToCarExporer
+		// 3. Blocked content returns traversal.SkipMe{} and never gets written to CAR
+		//
+		// If we passed blockGetter (the wrapped nodeGetterToCarExporer) here instead,
+		// it would write blocks to CAR immediately upon access, even if they're blocked.
+		lsys.StorageReadOpener = blockOpener(ctx, dagService)
 
 		// First resolve the path since we always need to.
 		lastCid, remainder, err := pathResolver.ResolveToLastNode(ctx, p)
@@ -784,6 +800,12 @@ func (bb *BlocksBackend) resolvePath(ctx context.Context, p path.Path) (path.Imm
 	return imPath, remainder, nil
 }
 
+// nodeGetterToCarExporer wraps a NodeGetter to write blocks to a CAR file as they are fetched.
+// This enables streaming CAR generation during DAG traversal.
+//
+// IMPORTANT: This wrapper is used for path resolution but NOT for the traversal's blockOpener.
+// The blockOpener uses the underlying dagService directly to ensure proper blocking checks
+// before any blocks are written to the CAR.
 type nodeGetterToCarExporer struct {
 	ng format.NodeGetter
 	cw storage.WritableCar
@@ -792,6 +814,7 @@ type nodeGetterToCarExporer struct {
 func (n *nodeGetterToCarExporer) Get(ctx context.Context, c cid.Cid) (format.Node, error) {
 	nd, err := n.ng.Get(ctx, c)
 	if err != nil {
+		// Pass through all errors - blockOpener will handle them appropriately
 		return nil, err
 	}
 
@@ -820,6 +843,19 @@ func (n *nodeGetterToCarExporer) GetMany(ctx context.Context, cids []cid.Cid) <-
 				case outCh <- nd:
 				case <-ctx.Done():
 				}
+			} else {
+				// Handle errors from the underlying NodeGetter:
+				// - NotFound errors: content doesn't exist, skip silently
+				// - Blocked errors: content is blocked, skip silently
+				// - Other errors: propagate to caller
+				if !format.IsNotFound(nd.Err) && !isErrContentBlocked(nd.Err) {
+					// Only pass through non-blocked errors
+					select {
+					case outCh <- nd:
+					case <-ctx.Done():
+					}
+				}
+				// For blocked/not found errors, we simply skip - don't send anything
 			}
 		}
 	}()
@@ -909,15 +945,30 @@ func (n *nodeGetterFetcherSingleUseFactory) blankProgress(ctx context.Context) t
 	}
 }
 
+// blockOpener returns a function that loads blocks during CAR traversal.
+// It is used by the IPLD LinkSystem during the walkGatewaySimpleSelector traversal.
+//
+// When a blocked CID is encountered, it returns traversal.SkipMe{} which tells
+// the traversal to skip that branch of the DAG without failing the entire operation.
+// This allows generating CARs with partial content when some blocks are filtered.
 func blockOpener(ctx context.Context, ng format.NodeGetter) ipld.BlockReadOpener {
 	return func(_ ipld.LinkContext, lnk ipld.Link) (io.Reader, error) {
 		cidLink, ok := lnk.(cidlink.Link)
 		if !ok {
 			return nil, fmt.Errorf("invalid link type for loading: %v", lnk)
 		}
 
+		// Attempt to fetch the block through the NodeGetter.
+		// If using a blocking-aware BlockService, this returns an error for blocked CIDs.
 		blk, err := ng.Get(ctx, cidLink.Cid)
 		if err != nil {
+			// Check if this block is blocked (not just missing)
+			if isErrContentBlocked(err) {
+				// Return traversal.SkipMe{} to gracefully skip blocked content.
+				// The traversal continues with other accessible parts of the DAG.
+				return nil, traversal.SkipMe{}
+			}
+			// Propagate all other errors including NotFound (broken DAG)
 			return nil, err
 		}
 

gateway/errors.go

@@ -226,6 +226,8 @@ func webError(w http.ResponseWriter, r *http.Request, c *Config, err error, defa
 	case errors.Is(err, &cid.ErrInvalidCid{}):
 		code = http.StatusBadRequest
 	case isErrContentBlocked(err):
+		// HTTP 410 Gone indicates the content has been permanently removed
+		// due to content filtering/blocking policies
 		code = http.StatusGone
 	case isErrNotFound(err):
 		code = http.StatusNotFound
@@ -279,9 +281,23 @@ func isErrNotFound(err error) bool {
 	}
 }
 
-// isErrContentBlocked returns true for content filtering system errors
+// isErrContentBlocked returns true for content filtering system errors.
+//
+// This function detects errors from nopfs (https://github.com/ipfs-shipyard/nopfs),
+// the content blocking system used by IPFS implementations.
+// When content is blocked, nopfs returns a StatusError with a specific message format.
+// We detect these errors by checking for the characteristic error message rather than
+// using type assertions to avoid pulling nopfs as a direct dependency.
+//
+// The blocking system returns HTTP 410 Gone for blocked content, indicating the content
+// has been intentionally made unavailable due to content filtering policies.
+//
+// TODO: When nopfs becomes a direct dependency, replace this string matching with proper
+// type assertion or errors.Is() for more robust error detection.
 func isErrContentBlocked(err error) bool {
-	// TODO: we match error message to avoid pulling nopfs as a dependency
+	// The nopfs StatusError.Error() returns messages in the format:
+	// - "{cid} is blocked and cannot be provided" for blocked CIDs
+	// - "{path} is blocked and cannot be provided" for blocked paths
 	// Ref. https://github.com/ipfs-shipyard/nopfs/blob/cde3b5ba964c13e977f4a95f3bd8ca7d7710fbda/status.go#L87-L89
 	return strings.Contains(err.Error(), "blocked and cannot be provided")
 }