trustless-gateway.ts#L92 does not seem to have any protection against being tricked into fetching terabytes of data.

Helia should have a response size check and config option similar to HTTPRetrieval.MaxBlockSize from Kubo 0.35.0-rc1, where there is implicit limit of 2MiB but user is able to override it.

Implementation-wise, either error, or if its more tricky with streaming, perhaps wrap response stream in something that will truncate responses bigger than limit?
If we verify hashes before doing put to blockstore, truncating should be enough, because the hash of truncated response will no longer match CID and the response.

cc @SgtPooki @achingbrain – marking this as a bug, because without any limit, every client is at risk of being tricked into opening malicious CID and streaming a lot of garbage data

• Part of Feasibility study on shifting gateway traffic to inbrowser.link — IPFS/2025 ipshipyard/roadmaps#5
• Part of Native HTTP across the IPFS Stack, to enable Filecoin direct retrieval — IPFS/2025 ipshipyard/roadmaps#9

Related:

• file-type sniffer should never work on more than 8KiB helia-verified-fetch#200