Add checksum check before installing a package (#947)

Federico · web-flow · commit 163a1f7bbd55 · 2020-09-15T12:42:47.000+02:00
diff --git a/arduino/resources/install.go b/arduino/resources/install.go
@@ -32,6 +32,13 @@ import (
 // Note that tempPath and destDir must be on the same filesystem partition
 // otherwise the last step will fail.
 func (release *DownloadResource) Install(downloadDir, tempPath, destDir *paths.Path) error {
+	// Check the integrity of the package
+	if ok, err := release.TestLocalArchiveIntegrity(downloadDir); err != nil {
+		return fmt.Errorf("testing local archive integrity: %s", err)
+	} else if !ok {
+		return fmt.Errorf("checking local archive integrity")
+	}
+
 	// Create a temporary dir to extract package
 	if err := tempPath.MkdirAll(); err != nil {
 		return fmt.Errorf("creating temp dir for extraction: %s", err)
diff --git a/test/test_core.py b/test/test_core.py
@@ -203,3 +203,9 @@ def test_core_zipslip(run_command):
     # Install a core and check if malicious content has been extracted.
     run_command("core install zipslip:x86 --additional-urls={}".format(url))
     assert os.path.exists("/tmp/evil.txt") is False
+
+
+def test_core_broken_install(run_command):
+    url = "https://raw.githubusercontent.com/arduino/arduino-cli/master/test/testdata/test_index.json"
+    assert run_command("core update-index --additional-urls={}".format(url))
+    assert not run_command("core install brokenchecksum:x86 --additional-urls={}".format(url))
diff --git a/test/testdata/test_index.json b/test/testdata/test_index.json
@@ -13,12 +13,12 @@
                         "online": "https://github.com/Arduino/arduino-cli"
                     },
                     "url": "https://raw.githubusercontent.com/arduino/arduino-cli/master/test/testdata/core.zip",
-                    "checksum": "SHA-256:1ba93f6aea56842dfef065c0f5eb0a34c1f78b72b3f2426c94e47ba3a359c9ff",
+                    "checksum": "SHA-256:6a338cf4d6d501176a2d352c87a8d72ac7488b8c5b82cdf2a4e2cef630391092",
                     "name": "test_core",
                     "version": "1.0.0",
                     "architecture": "x86",
                     "archiveFileName": "core.zip",
-                    "size": "2799",
+                    "size": "486",
                     "toolsDependencies": [],
                     "boards": [
                         {
@@ -32,12 +32,12 @@
                         "online": "https://github.com/Arduino/arduino-cli"
                     },
                     "url": "https://raw.githubusercontent.com/arduino/arduino-cli/master/test/testdata/core.zip",
-                    "checksum": "SHA-256:1ba93f6aea56842dfef065c0f5eb0a34c1f78b72b3f2426c94e47ba3a359c9ff",
+                    "checksum": "SHA-256:6a338cf4d6d501176a2d352c87a8d72ac7488b8c5b82cdf2a4e2cef630391092",
                     "name": "test_core",
                     "version": "2.0.0",
                     "architecture": "x86",
                     "archiveFileName": "core.zip",
-                    "size": "2799",
+                    "size": "486",
                     "toolsDependencies": [],
                     "boards": [
                         {
@@ -80,6 +80,37 @@
                     ]
                 }
             ]
+        },
+        {
+            "name": "brokenchecksum",
+            "tools": [],
+            "email": "test@example.com",
+            "maintainer": "Arduino",
+            "help": {
+                "online": "https://github.com/Arduino/arduino-cli"
+            },
+            "websiteURL": "https://github.com/Arduino/arduino-cli",
+            "platforms": [
+                {
+                    "category": "BrokenChecksum Test",
+                    "help": {
+                        "online": "https://github.com/Arduino/arduino-cli"
+                    },
+                    "url": "https://raw.githubusercontent.com/arduino/arduino-cli/master/test/testdata/core.zip",
+                    "checksum": "SHA-256:1a338cf4d6d501176a2d352c87a8d72ac7488b8c5b82cdf2a4e2cef630391092",
+                    "name": "zipslip",
+                    "version": "1.0.0",
+                    "architecture": "x86",
+                    "archiveFileName": "core.zip",
+                    "size": "486",
+                    "toolsDependencies": [],
+                    "boards": [
+                        {
+                            "name": "Test Board"
+                        }
+                    ]
+                }
+            ]
         }
     ]
 }
