From b5127a54eae206789431417d3e72f56fea51e0ee Mon Sep 17 00:00:00 2001
From: Javier Sagredo <javier.sagredo@iohk.io>
Date: Mon, 24 Nov 2025 16:41:22 +0100
Subject: [PATCH] Reject legacy snapshots

---
 ...124_165114_javier.sagredo_reject_legacy.md | 22 +++++++++++++++++++
 .../Consensus/Storage/LedgerDB/V2/LSM.hs      |  4 +++-
 .../Consensus/Storage/LedgerDB/Snapshots.hs   |  2 ++
 .../Storage/LedgerDB/V1/Snapshots.hs          |  5 ++++-
 .../Consensus/Storage/LedgerDB/V2/InMemory.hs |  5 ++++-
 5 files changed, 35 insertions(+), 3 deletions(-)
 create mode 100644 ouroboros-consensus/changelog.d/20251124_165114_javier.sagredo_reject_legacy.md

diff --git a/ouroboros-consensus/changelog.d/20251124_165114_javier.sagredo_reject_legacy.md b/ouroboros-consensus/changelog.d/20251124_165114_javier.sagredo_reject_legacy.md
new file mode 100644
index 0000000000..11b01edb2e
--- /dev/null
+++ b/ouroboros-consensus/changelog.d/20251124_165114_javier.sagredo_reject_legacy.md
@@ -0,0 +1,22 @@
+<!--
+A new scriv changelog fragment.
+
+Uncomment the section that is right (remove the HTML comment wrapper).
+For top level release notes, leave all the headers commented out.
+-->
+
+<!--
+### Patch
+
+- A bullet item for the Patch category.
+
+-->
+<!--
+### Non-Breaking
+
+- A bullet item for the Non-Breaking category.
+
+-->
+### Breaking
+
+- Legacy snapshots will be rejected and deleted, instead of crashing consensus.
diff --git a/ouroboros-consensus/src/ouroboros-consensus-lsm/Ouroboros/Consensus/Storage/LedgerDB/V2/LSM.hs b/ouroboros-consensus/src/ouroboros-consensus-lsm/Ouroboros/Consensus/Storage/LedgerDB/V2/LSM.hs
index cc44c81736..1c4dd4305f 100644
--- a/ouroboros-consensus/src/ouroboros-consensus-lsm/Ouroboros/Consensus/Storage/LedgerDB/V2/LSM.hs
+++ b/ouroboros-consensus/src/ouroboros-consensus-lsm/Ouroboros/Consensus/Storage/LedgerDB/V2/LSM.hs
@@ -450,8 +450,10 @@ loadSnapshot ::
   Session m ->
   DiskSnapshot ->
   ExceptT (SnapshotFailure blk) m (LedgerSeq' m blk, RealPoint blk)
-loadSnapshot tracer rr ccfg fs session ds =
+loadSnapshot tracer rr ccfg fs@(SomeHasFS hfs) session ds =
   do
+    fileEx <- lift $ doesFileExist hfs (snapshotToDirPath ds)
+    Monad.when fileEx $ throwE $ InitFailureRead ReadSnapshotIsLegacy
     snapshotMeta <-
       withExceptT (InitFailureRead . ReadMetadataError (snapshotToMetadataPath ds)) $
         loadSnapshotMetadata fs ds
diff --git a/ouroboros-consensus/src/ouroboros-consensus/Ouroboros/Consensus/Storage/LedgerDB/Snapshots.hs b/ouroboros-consensus/src/ouroboros-consensus/Ouroboros/Consensus/Storage/LedgerDB/Snapshots.hs
index 1b5826e2f3..e432acf581 100644
--- a/ouroboros-consensus/src/ouroboros-consensus/Ouroboros/Consensus/Storage/LedgerDB/Snapshots.hs
+++ b/ouroboros-consensus/src/ouroboros-consensus/Ouroboros/Consensus/Storage/LedgerDB/Snapshots.hs
@@ -185,6 +185,8 @@ data ReadSnapshotErr
     ReadSnapshotDataCorruption
   | -- | An error occurred while reading the snapshot metadata file
     ReadMetadataError FsPath MetadataErr
+  | -- | We were given a legacy snapshot
+    ReadSnapshotIsLegacy
   deriving (Eq, Show)
 
 data TablesCodecVersion = TablesCodecVersion1
diff --git a/ouroboros-consensus/src/ouroboros-consensus/Ouroboros/Consensus/Storage/LedgerDB/V1/Snapshots.hs b/ouroboros-consensus/src/ouroboros-consensus/Ouroboros/Consensus/Storage/LedgerDB/V1/Snapshots.hs
index 0e4b658ee3..1fab7171eb 100644
--- a/ouroboros-consensus/src/ouroboros-consensus/Ouroboros/Consensus/Storage/LedgerDB/V1/Snapshots.hs
+++ b/ouroboros-consensus/src/ouroboros-consensus/Ouroboros/Consensus/Storage/LedgerDB/V1/Snapshots.hs
@@ -163,6 +163,7 @@ import Ouroboros.Consensus.Util.Args (Complete)
 import Ouroboros.Consensus.Util.Enclose
 import Ouroboros.Consensus.Util.IOLike
 import System.FS.API
+import qualified System.FS.API as FS
 
 snapshotManager ::
   ( IOLike m
@@ -293,7 +294,9 @@ loadSnapshot ::
     (SnapshotFailure blk)
     m
     ((DbChangelog' blk, ResourceKey m, LedgerBackingStore m (ExtLedgerState blk)), RealPoint blk)
-loadSnapshot tracer bArgs@(SomeBackendArgs bss) ccfg fs@(SnapshotsFS fs') reg s = do
+loadSnapshot tracer bArgs@(SomeBackendArgs bss) ccfg fs@(SnapshotsFS fs'@(SomeHasFS hfs)) reg s = do
+  fileEx <- Trans.lift $ FS.doesFileExist hfs (snapshotToDirPath s)
+  Monad.when fileEx $ throwError $ InitFailureRead ReadSnapshotIsLegacy
   (extLedgerSt, checksumAsRead) <-
     withExceptT (InitFailureRead . ReadSnapshotFailed) $
       readExtLedgerState fs' (decodeDiskExtLedgerState ccfg) decode (snapshotToStatePath s)
diff --git a/ouroboros-consensus/src/ouroboros-consensus/Ouroboros/Consensus/Storage/LedgerDB/V2/InMemory.hs b/ouroboros-consensus/src/ouroboros-consensus/Ouroboros/Consensus/Storage/LedgerDB/V2/InMemory.hs
index 906937b457..93f2ed831d 100644
--- a/ouroboros-consensus/src/ouroboros-consensus/Ouroboros/Consensus/Storage/LedgerDB/V2/InMemory.hs
+++ b/ouroboros-consensus/src/ouroboros-consensus/Ouroboros/Consensus/Storage/LedgerDB/V2/InMemory.hs
@@ -323,7 +323,10 @@ loadSnapshot ::
   SomeHasFS m ->
   DiskSnapshot ->
   ExceptT (SnapshotFailure blk) m (LedgerSeq' m blk, RealPoint blk)
-loadSnapshot tracer _rr ccfg fs ds = do
+loadSnapshot tracer _rr ccfg fs@(SomeHasFS hfs) ds = do
+  fileEx <- lift $ doesFileExist hfs (snapshotToDirPath ds)
+  Monad.when fileEx $ throwE $ InitFailureRead ReadSnapshotIsLegacy
+
   snapshotMeta <-
     withExceptT (InitFailureRead . ReadMetadataError (snapshotToMetadataPath ds)) $
       loadSnapshotMetadata fs ds