From 170380c657a55995d3ec494d8e3e415ff4a4f89f Mon Sep 17 00:00:00 2001
From: Thomas Waldmann <tw@waldmann-edv.de>
Date: Sat, 16 Sep 2023 18:31:46 +0200
Subject: [PATCH] raise IntegrityError if ro_type is not as expected

---
 src/borg/repoobj.py           | 7 +++++--
 src/borg/testsuite/repoobj.py | 5 +++--
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/borg/repoobj.py b/src/borg/repoobj.py
index 8514db4d..3fb2534a 100644
--- a/src/borg/repoobj.py
+++ b/src/borg/repoobj.py
@@ -2,6 +2,7 @@ from struct import Struct
 
 from .constants import *  # NOQA
 from .helpers import msgpack, workarounds
+from .helpers.errors import IntegrityError
 from .compress import Compressor, LZ4_COMPRESSOR, get_compressor
 
 # workaround for lost passphrase or key in "authenticated" or "authenticated-blake2" mode
@@ -77,7 +78,8 @@ class RepoObj:
         meta_encrypted = obj[offs : offs + len_meta_encrypted]
         meta_packed = self.key.decrypt(id, meta_encrypted)
         meta = msgpack.unpackb(meta_packed)
-        assert ro_type == ROBJ_DONTCARE or meta["type"] == ro_type
+        if ro_type != ROBJ_DONTCARE and meta["type"] != ro_type:
+            raise IntegrityError(f"ro_type expected: {ro_type} got: {meta['type']}")
         return meta
 
     def parse(
@@ -106,7 +108,8 @@ class RepoObj:
         offs += len_meta_encrypted
         meta_packed = self.key.decrypt(id, meta_encrypted)
         meta_compressed = msgpack.unpackb(meta_packed)  # means: before adding more metadata in decompress block
-        assert ro_type == ROBJ_DONTCARE or meta_compressed["type"] == ro_type
+        if ro_type != ROBJ_DONTCARE and meta_compressed["type"] != ro_type:
+            raise IntegrityError(f"ro_type expected: {ro_type} got: {meta_compressed['type']}")
         data_encrypted = obj[offs:]
         data_compressed = self.key.decrypt(id, data_encrypted)  # does not include the type/level bytes
         if decompress:
diff --git a/src/borg/testsuite/repoobj.py b/src/borg/testsuite/repoobj.py
index 7f923f57..44c364d8 100644
--- a/src/borg/testsuite/repoobj.py
+++ b/src/borg/testsuite/repoobj.py
@@ -2,6 +2,7 @@ import pytest
 
 from ..constants import ROBJ_FILE_STREAM, ROBJ_MANIFEST, ROBJ_ARCHIVE_META
 from ..crypto.key import PlaintextKey
+from ..helpers.errors import IntegrityError
 from ..repository import Repository
 from ..repoobj import RepoObj, RepoObj1
 from ..compress import LZ4
@@ -113,7 +114,7 @@ def test_spoof_manifest(key):
     cdata = repo_objs.format(id, {}, data, ro_type=ROBJ_FILE_STREAM)
     # let's assume an attacker somehow managed to replace the manifest with that repo object.
     # as borg always give the ro_type it wants to read, this should fail:
-    with pytest.raises(AssertionError):
+    with pytest.raises(IntegrityError):
         repo_objs.parse(id, cdata, ro_type=ROBJ_MANIFEST)
 
 
@@ -125,5 +126,5 @@ def test_spoof_archive(key):
     cdata = repo_objs.format(id, {}, data, ro_type=ROBJ_FILE_STREAM)
     # let's assume an attacker somehow managed to replace an archive with that repo object.
     # as borg always give the ro_type it wants to read, this should fail:
-    with pytest.raises(AssertionError):
+    with pytest.raises(IntegrityError):
         repo_objs.parse(id, cdata, ro_type=ROBJ_ARCHIVE_META)