mirrors/brew
1
0
Fork 0
mirror of https://github.com/Homebrew/brew.git synced 2025-07-14 16:09:03 +08:00
Code Issues Packages Projects Releases Wiki Activity

formula_auditor: split out checksum check

Browse Source
This commit is contained in:
Michael Cho 2023-12-19 13:19:40 -05:00
parent 4d93a50ad6
commit 3e428f7676
No known key found for this signature in database
GPG Key ID: 55E85E28A7CD1E85
2 changed files with 115 additions and 72 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
Library/Homebrew/formula_auditor.rb
View File

@ -806,24 +806,11 @@ module Homebrew
return if formula.stable.blank? return if formula.stable.blank?
current_version = formula.stable.version current_version = formula.stable.version
current_checksum = formula.stable.checksum
current_version_scheme = formula.version_scheme current_version_scheme = formula.version_scheme
current_revision = formula.revision current_revision = formula.revision
current_url = formula.stable.url
previous_committed, newest_committed = committed_version_info previous_committed, newest_committed = committed_version_info
if current_version == newest_committed[:version] &&
current_url == newest_committed[:url] &&
current_checksum != newest_committed[:checksum] &&
current_checksum.present? && newest_committed[:checksum].present?
problem(
"stable sha256 changed without the url/version also changing; " \
"please create an issue upstream to rule out malicious " \
"circumstances and to find out why the file changed.",
)
end
unless previous_committed[:version_scheme].nil? unless previous_committed[:version_scheme].nil?
if current_version_scheme < previous_committed[:version_scheme] if current_version_scheme < previous_committed[:version_scheme]
problem "version_scheme should not decrease (from #{previous_committed[:version_scheme]} " \ problem "version_scheme should not decrease (from #{previous_committed[:version_scheme]} " \
@ -849,6 +836,30 @@ module Homebrew
end end
end end
def audit_unconfirmed_checksum_change
return unless @git
return unless formula.tap # skip formula not from core or any taps
return unless formula.tap.git? # git log is required
return if formula.stable.blank?
current_version = formula.stable.version
current_checksum = formula.stable.checksum
current_url = formula.stable.url
_, newest_committed = committed_version_info
if current_version == newest_committed[:version] &&
current_url == newest_committed[:url] &&
current_checksum != newest_committed[:checksum] &&
current_checksum.present? && newest_committed[:checksum].present?
problem(
"stable sha256 changed without the url/version also changing; " \
"please create an issue upstream to rule out malicious " \
"circumstances and to find out why the file changed.",
)
end
end
def audit_text def audit_text
bin_names = Set.new bin_names = Set.new
bin_names << formula.name bin_names << formula.name

150
Library/Homebrew/test/dev-cmd/audit_spec.rb
View File

@ -1009,65 +1009,6 @@ module Homebrew
end end
end end
describe "checksums" do
describe "should not change with the same version" do
before do
formula_gsub(
'sha256 "31cccfc6630528db1c8e3a06f6decf2a370060b982841cfab2b8677400a5092e"',
'sha256 "3622d2a53236ed9ca62de0616a7e80fd477a9a3f862ba09d503da188f53ca523"',
)
end
it { is_expected.to match("stable sha256 changed without the url/version also changing") }
end
describe "should not change with the same version when not the first commit" do
before do
formula_gsub_origin_commit(
'sha256 "31cccfc6630528db1c8e3a06f6decf2a370060b982841cfab2b8677400a5092e"',
'sha256 "3622d2a53236ed9ca62de0616a7e80fd477a9a3f862ba09d503da188f53ca523"',
)
formula_gsub_origin_commit "revision 2"
formula_gsub_origin_commit "foo-1.0.tar.gz", "foo-1.1.tar.gz"
formula_gsub(
'sha256 "3622d2a53236ed9ca62de0616a7e80fd477a9a3f862ba09d503da188f53ca523"',
'sha256 "e048c5e6144f5932d8672c2fade81d9073d5b3ca1517b84df006de3d25414fc1"',
)
end
it { is_expected.to match("stable sha256 changed without the url/version also changing") }
end
describe "can change with the different version" do
before do
formula_gsub_origin_commit(
'sha256 "31cccfc6630528db1c8e3a06f6decf2a370060b982841cfab2b8677400a5092e"',
'sha256 "3622d2a53236ed9ca62de0616a7e80fd477a9a3f862ba09d503da188f53ca523"',
)
formula_gsub "foo-1.0.tar.gz", "foo-1.1.tar.gz"
formula_gsub_origin_commit(
'sha256 "3622d2a53236ed9ca62de0616a7e80fd477a9a3f862ba09d503da188f53ca523"',
'sha256 "e048c5e6144f5932d8672c2fade81d9073d5b3ca1517b84df006de3d25414fc1"',
)
end
it { is_expected.to be_nil }
end
describe "can be removed when switching schemes" do
before do
formula_gsub_origin_commit(
'url "https://brew.sh/foo-1.0.tar.gz"',
'url "https://foo.com/brew/bar.git", tag: "1.0", revision: "f5e00e485e7aa4c5baa20355b27e3b84a6912790"',
)
formula_gsub_origin_commit('sha256 "31cccfc6630528db1c8e3a06f6decf2a370060b982841cfab2b8677400a5092e"',
"")
end
it { is_expected.to be_nil }
end
end
describe "revisions" do describe "revisions" do
describe "should not be removed when first committed above 0" do describe "should not be removed when first committed above 0" do
it { is_expected.to be_nil } it { is_expected.to be_nil }
@ -1173,6 +1114,97 @@ module Homebrew
end end
end end
describe "#audit_unconfirmed_checksum_change" do
subject do
fa = described_class.new(Formulary.factory(formula_path), git: true)
fa.audit_unconfirmed_checksum_change
fa.problems.first&.fetch(:message)
end
before do
origin_formula_path.dirname.mkpath
origin_formula_path.write <<~RUBY
class Foo#{foo_version} < Formula
url "https://brew.sh/foo-1.0.tar.gz"
sha256 "31cccfc6630528db1c8e3a06f6decf2a370060b982841cfab2b8677400a5092e"
revision 2
version_scheme 1
end
RUBY
origin_tap_path.mkpath
origin_tap_path.cd do
system "git", "init"
system "git", "add", "--all"
system "git", "commit", "-m", "init"
end
tap_path.mkpath
tap_path.cd do
system "git", "clone", origin_tap_path, "."
end
end
describe "checksums" do
describe "should not change with the same version" do
before do
formula_gsub(
'sha256 "31cccfc6630528db1c8e3a06f6decf2a370060b982841cfab2b8677400a5092e"',
'sha256 "3622d2a53236ed9ca62de0616a7e80fd477a9a3f862ba09d503da188f53ca523"',
)
end
it { is_expected.to match("stable sha256 changed without the url/version also changing") }
end
describe "should not change with the same version when not the first commit" do
before do
formula_gsub_origin_commit(
'sha256 "31cccfc6630528db1c8e3a06f6decf2a370060b982841cfab2b8677400a5092e"',
'sha256 "3622d2a53236ed9ca62de0616a7e80fd477a9a3f862ba09d503da188f53ca523"',
)
formula_gsub_origin_commit "revision 2"
formula_gsub_origin_commit "foo-1.0.tar.gz", "foo-1.1.tar.gz"
formula_gsub(
'sha256 "3622d2a53236ed9ca62de0616a7e80fd477a9a3f862ba09d503da188f53ca523"',
'sha256 "e048c5e6144f5932d8672c2fade81d9073d5b3ca1517b84df006de3d25414fc1"',
)
end
it { is_expected.to match("stable sha256 changed without the url/version also changing") }
end
describe "can change with the different version" do
before do
formula_gsub_origin_commit(
'sha256 "31cccfc6630528db1c8e3a06f6decf2a370060b982841cfab2b8677400a5092e"',
'sha256 "3622d2a53236ed9ca62de0616a7e80fd477a9a3f862ba09d503da188f53ca523"',
)
formula_gsub "foo-1.0.tar.gz", "foo-1.1.tar.gz"
formula_gsub_origin_commit(
'sha256 "3622d2a53236ed9ca62de0616a7e80fd477a9a3f862ba09d503da188f53ca523"',
'sha256 "e048c5e6144f5932d8672c2fade81d9073d5b3ca1517b84df006de3d25414fc1"',
)
end
it { is_expected.to be_nil }
end
describe "can be removed when switching schemes" do
before do
formula_gsub_origin_commit(
'url "https://brew.sh/foo-1.0.tar.gz"',
'url "https://foo.com/brew/bar.git", tag: "1.0", revision: "f5e00e485e7aa4c5baa20355b27e3b84a6912790"',
)
formula_gsub_origin_commit('sha256 "31cccfc6630528db1c8e3a06f6decf2a370060b982841cfab2b8677400a5092e"',
"")
end
it { is_expected.to be_nil }
end
end
end
describe "#audit_versioned_keg_only" do describe "#audit_versioned_keg_only" do
specify "it warns when a versioned formula is not `keg_only`" do specify "it warns when a versioned formula is not `keg_only`" do
fa = formula_auditor "foo@1.1", <<~RUBY, core_tap: true fa = formula_auditor "foo@1.1", <<~RUBY, core_tap: true