The blob resolver does not attempt to validate blob content identifiers after fetch, which allows users to modify the blob locally on their PDS to be any content they wish without updating any records. It would be a good idea to compute a hash of the downloaded blob after fetch and ensure it matches the requested CID.
๐ฟ Collaborative wiki on ATProto
lichen.wiki
atproto
Blob resolver: no CID validation #2
open
opened by
blooym.dev
Thanks for the issue, currently looking at it