Skip to content

Improve signature check on library_index.json #2326

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 20, 2023
Merged

Improve signature check on library_index.json #2326

merged 1 commit into from
Sep 20, 2023

Conversation

cmaglie
Copy link
Member

@cmaglie cmaglie commented Sep 19, 2023

Please check if the PR fulfills these requirements

See how to contribute

  • The PR has no duplicates (please search among the Pull Requests
    before creating one)
  • The PR follows
    our contributing guidelines
  • Tests for the changes have been added (for bug fixes / features)
  • Docs have been added / updated (for bug fixes / features)
  • UPGRADING.md has been updated with a migration guide (for breaking changes)
  • configuration.schema.json updated if new parameters are added.

What kind of change does this PR introduce?

There are some cases where the signature check is skipped when upgrading indexes. This PR ensures that the signature check is enforced for the library_index.json.

What is the current behavior?

If the "bundle index+signature" library_index.tar.bz2 does not contain the signature, then the signature check is silently sipped.

What is the new behavior?

If the "bundle index+signature" library_index.tar.bz2 does not contain the signature, then the index upgrade fails.

Does this PR introduce a breaking change, and is titled accordingly?

No

Other information

@cmaglie cmaglie self-assigned this Sep 19, 2023
@cmaglie cmaglie added topic: code Related to content of the project itself type: imperfection Perceived defect in any part of project labels Sep 19, 2023
@cmaglie cmaglie added this to the Arduino CLI 0.35.0 milestone Sep 19, 2023
@codecov
Copy link

codecov bot commented Sep 19, 2023

Codecov Report

Patch coverage: 50.00% and project coverage change: -0.01% ⚠️

Comparison is base (29c70df) 63.08% compared to head (42e825d) 63.07%.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #2326      +/-   ##
==========================================
- Coverage   63.08%   63.07%   -0.01%     
==========================================
  Files         200      200              
  Lines       19260    19265       +5     
==========================================
+ Hits        12150    12152       +2     
- Misses       6061     6063       +2     
- Partials     1049     1050       +1
Flag Coverage Δ
unit 63.07% <50.00%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files Changed Coverage Δ
arduino/resources/index.go 45.53% <25.00%> (-0.77%) ⬇️
commands/instances.go 64.52% <100.00%> (+0.08%) ⬆️

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@umbynos umbynos requested a review from rhpco September 19, 2023 10:19
@umbynos umbynos added the topic: security Related to the protection of user data label Sep 19, 2023
alessio-perugini
alessio-perugini approved these changes Sep 19, 2023
View reviewed changes
Copy link
Contributor

@alessio-perugini alessio-perugini left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you have time I'd add a quick integration test that checks that we're enforcing the signature verification when calling the UpdateLibrariesIndex.

@cmaglie
Copy link
Member Author

cmaglie commented Sep 19, 2023

If you have time I'd add a quick integration test that checks that we're enforcing the signature verification when calling the UpdateLibrariesIndex.

How? It seems quite difficult to do, we have to provide a "fake" downloads.arduino.cc to serve a library_index.tar.bz2 without the signature...
Do you have any idea?

@cmaglie cmaglie merged commit 28fc9d6 into arduino:master Sep 20, 2023
@cmaglie cmaglie deleted the enforce_signature_check branch September 20, 2023 08:29
@rhpco
Copy link

rhpco commented Sep 21, 2023

@cmaglie @alessio-perugini I suggest mocking the HTTP bad behaviour, for example implementing the test cases adopting https://github.com/jarcoal/httpmock library

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alessio-perugini alessio-perugini alessio-perugini approved these changes

@umbynos umbynos umbynos approved these changes

@MatteoPologruto MatteoPologruto Awaiting requested review from MatteoPologruto

@rhpco rhpco Awaiting requested review from rhpco

Assignees

@cmaglie cmaglie

Labels
topic: code Related to content of the project itself topic: security Related to the protection of user data type: imperfection Perceived defect in any part of project
Projects
None yet
Milestone
Arduino CLI v0.35.0
Development

Successfully merging this pull request may close these issues.
4 participants
@cmaglie @rhpco @alessio-perugini @umbynos