From 6aa49863bd17adf0c6eced965db0ffaf6632c7ec Mon Sep 17 00:00:00 2001 From: rhaidiz Date: Mon, 14 Sep 2020 12:17:04 +0200 Subject: [PATCH] Add checksum check before installing a package --- arduino/resources/install.go | 7 +++++++ test/test_core.py | 6 ++++++ test/testdata/test_index.json | 39 +++++++++++++++++++++++++++++++---- 3 files changed, 48 insertions(+), 4 deletions(-) diff --git a/arduino/resources/install.go b/arduino/resources/install.go index c306faf27ae..d87708b7dd1 100644 --- a/arduino/resources/install.go +++ b/arduino/resources/install.go @@ -32,6 +32,13 @@ import ( // Note that tempPath and destDir must be on the same filesystem partition // otherwise the last step will fail. func (release *DownloadResource) Install(downloadDir, tempPath, destDir *paths.Path) error { + // Check the integrity of the package + if ok, err := release.TestLocalArchiveIntegrity(downloadDir); err != nil { + return fmt.Errorf("testing local archive integrity: %s", err) + } else if !ok { + return fmt.Errorf("checking local archive integrity") + } + // Create a temporary dir to extract package if err := tempPath.MkdirAll(); err != nil { return fmt.Errorf("creating temp dir for extraction: %s", err) diff --git a/test/test_core.py b/test/test_core.py index bf33b1c0de1..0ba70253505 100644 --- a/test/test_core.py +++ b/test/test_core.py @@ -203,3 +203,9 @@ def test_core_zipslip(run_command): # Install a core and check if malicious content has been extracted. run_command("core install zipslip:x86 --additional-urls={}".format(url)) assert os.path.exists("/tmp/evil.txt") is False + + +def test_core_broken_install(run_command): + url = "https://raw.githubusercontent.com/arduino/arduino-cli/master/test/testdata/test_index.json" + assert run_command("core update-index --additional-urls={}".format(url)) + assert not run_command("core install brokenchecksum:x86 --additional-urls={}".format(url)) diff --git a/test/testdata/test_index.json b/test/testdata/test_index.json index 21c852546f8..3781132bedd 100644 --- a/test/testdata/test_index.json +++ b/test/testdata/test_index.json @@ -13,12 +13,12 @@ "online": "https://github.com/Arduino/arduino-cli" }, "url": "https://raw.githubusercontent.com/arduino/arduino-cli/master/test/testdata/core.zip", - "checksum": "SHA-256:1ba93f6aea56842dfef065c0f5eb0a34c1f78b72b3f2426c94e47ba3a359c9ff", + "checksum": "SHA-256:6a338cf4d6d501176a2d352c87a8d72ac7488b8c5b82cdf2a4e2cef630391092", "name": "test_core", "version": "1.0.0", "architecture": "x86", "archiveFileName": "core.zip", - "size": "2799", + "size": "486", "toolsDependencies": [], "boards": [ { @@ -32,12 +32,12 @@ "online": "https://github.com/Arduino/arduino-cli" }, "url": "https://raw.githubusercontent.com/arduino/arduino-cli/master/test/testdata/core.zip", - "checksum": "SHA-256:1ba93f6aea56842dfef065c0f5eb0a34c1f78b72b3f2426c94e47ba3a359c9ff", + "checksum": "SHA-256:6a338cf4d6d501176a2d352c87a8d72ac7488b8c5b82cdf2a4e2cef630391092", "name": "test_core", "version": "2.0.0", "architecture": "x86", "archiveFileName": "core.zip", - "size": "2799", + "size": "486", "toolsDependencies": [], "boards": [ { @@ -80,6 +80,37 @@ ] } ] + }, + { + "name": "brokenchecksum", + "tools": [], + "email": "test@example.com", + "maintainer": "Arduino", + "help": { + "online": "https://github.com/Arduino/arduino-cli" + }, + "websiteURL": "https://github.com/Arduino/arduino-cli", + "platforms": [ + { + "category": "BrokenChecksum Test", + "help": { + "online": "https://github.com/Arduino/arduino-cli" + }, + "url": "https://raw.githubusercontent.com/arduino/arduino-cli/master/test/testdata/core.zip", + "checksum": "SHA-256:1a338cf4d6d501176a2d352c87a8d72ac7488b8c5b82cdf2a4e2cef630391092", + "name": "zipslip", + "version": "1.0.0", + "architecture": "x86", + "archiveFileName": "core.zip", + "size": "486", + "toolsDependencies": [], + "boards": [ + { + "name": "Test Board" + } + ] + } + ] } ] } \ No newline at end of file