Skip to content

Commit

Permalink
(#1144) Add validation for package hash
Browse files Browse the repository at this point in the history
  • Loading branch information
@TheCakeIsNaOH
TheCakeIsNaOH committed Sep 18, 2023
1 parent 48ee5cf commit b0dc2b1
Showing 1 changed file with 60 additions and 2 deletions.
62 changes: 60 additions & 2 deletions src/chocolatey/infrastructure.app/services/NugetService.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -811,7 +811,36 @@ Version was specified as '{0}'. It is possible that version
NuGetEnvironment.GetFolderPath(NuGetFolderPath.Temp),
_nugetLogger, CancellationToken.None).GetAwaiter().GetResult())
{
//TODO, do check on downloadResult
// Folder based sources and v3 api based sources do not provide package hashes when getting metadata
if (packageDependencyInfo.PackageHash is null)
{
this.Log().Debug("Source does not provide a package hash, skipping package checksum validation");
}
else
{
using (var metadataFileStream =
downloadResult.PackageReader.GetStream(PackagingCoreConstants.NupkgMetadataFileExtension))
{
var metadataFileContents = NupkgMetadataFileFormat.Read(metadataFileStream, _nugetLogger,
PackagingCoreConstants.NupkgMetadataFileExtension);
if (!packageDependencyInfo.PackageHash.Length.Equals(metadataFileContents.ContentHash.Length))
{
this.Log().Warn("Package hash length mismatch, server may not be sending sha512 hash");
}
else if (packageDependencyInfo.PackageHash.Equals(metadataFileContents.ContentHash, StringComparison.OrdinalIgnoreCase))
{
this.Log().Debug("Package checksum matches expected checksum");
}
else
{
var errorMessage =
"Package checksum '{0}' did not match expected checksum '{1}'"
.FormatWith(metadataFileContents.ContentHash,
packageDependencyInfo.PackageHash);
throw new InvalidDataException(errorMessage);
}
}
}

nugetProject.InstallPackageAsync(
packageDependencyInfo,
Expand Down Expand Up @@ -1493,7 +1522,36 @@ public virtual ConcurrentDictionary<string, PackageResult> Upgrade(ChocolateyCon
NuGetEnvironment.GetFolderPath(NuGetFolderPath.Temp),
_nugetLogger, CancellationToken.None).GetAwaiter().GetResult())
{
//TODO, do check on downloadResult
// Folder based sources and v3 api based sources do not provide package hashes when getting metadata
if (packageDependencyInfo.PackageHash is null)
{
this.Log().Debug("Source does not provide a package hash, skipping package checksum validation");
}
else
{
using (var metadataFileStream =
downloadResult.PackageReader.GetStream(PackagingCoreConstants.NupkgMetadataFileExtension))
{
var metadataFileContents = NupkgMetadataFileFormat.Read(metadataFileStream, _nugetLogger,
PackagingCoreConstants.NupkgMetadataFileExtension);
if (!packageDependencyInfo.PackageHash.Length.Equals(metadataFileContents.ContentHash.Length))
{
this.Log().Warn("Package hash length mismatch, server may not be sending sha512 hash");
}
else if (packageDependencyInfo.PackageHash.Equals(metadataFileContents.ContentHash, StringComparison.OrdinalIgnoreCase))
{
this.Log().Debug("Package checksum matches expected checksum");
}
else
{
var errorMessage =
"Package checksum '{0}' did not match expected checksum '{1}'"
.FormatWith(metadataFileContents.ContentHash,
packageDependencyInfo.PackageHash);
throw new InvalidDataException(errorMessage);
}
}
}

nugetProject.InstallPackageAsync(
packageDependencyInfo,
Expand Down

0 comments on commit b0dc2b1

Please sign in to comment.