formula_auditor: split out checksum check
This commit is contained in:
Michael Cho
parent
4d93a50ad6
commit
3e428f7676
@ -806,24 +806,11 @@ module Homebrew
|
|||||||
return if formula.stable.blank?
|
return if formula.stable.blank?
|
||||||
|
|
||||||
current_version = formula.stable.version
|
current_version = formula.stable.version
|
||||||
current_checksum = formula.stable.checksum
|
|
||||||
current_version_scheme = formula.version_scheme
|
current_version_scheme = formula.version_scheme
|
||||||
current_revision = formula.revision
|
current_revision = formula.revision
|
||||||
current_url = formula.stable.url
|
|
||||||
|
|
||||||
previous_committed, newest_committed = committed_version_info
|
previous_committed, newest_committed = committed_version_info
|
||||||
|
|
||||||
if current_version == newest_committed[:version] &&
|
|
||||||
current_url == newest_committed[:url] &&
|
|
||||||
current_checksum != newest_committed[:checksum] &&
|
|
||||||
current_checksum.present? && newest_committed[:checksum].present?
|
|
||||||
problem(
|
|
||||||
"stable sha256 changed without the url/version also changing; " \
|
|
||||||
"please create an issue upstream to rule out malicious " \
|
|
||||||
"circumstances and to find out why the file changed.",
|
|
||||||
)
|
|
||||||
end
|
|
||||||
|
|
||||||
unless previous_committed[:version_scheme].nil?
|
unless previous_committed[:version_scheme].nil?
|
||||||
if current_version_scheme < previous_committed[:version_scheme]
|
if current_version_scheme < previous_committed[:version_scheme]
|
||||||
problem "version_scheme should not decrease (from #{previous_committed[:version_scheme]} " \
|
problem "version_scheme should not decrease (from #{previous_committed[:version_scheme]} " \
|
||||||
@ -849,6 +836,30 @@ module Homebrew
|
|||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def audit_unconfirmed_checksum_change
|
||||||
|
return unless @git
|
||||||
|
return unless formula.tap # skip formula not from core or any taps
|
||||||
|
return unless formula.tap.git? # git log is required
|
||||||
|
return if formula.stable.blank?
|
||||||
|
|
||||||
|
current_version = formula.stable.version
|
||||||
|
current_checksum = formula.stable.checksum
|
||||||
|
current_url = formula.stable.url
|
||||||
|
|
||||||
|
_, newest_committed = committed_version_info
|
||||||
|
|
||||||
|
if current_version == newest_committed[:version] &&
|
||||||
|
current_url == newest_committed[:url] &&
|
||||||
|
current_checksum != newest_committed[:checksum] &&
|
||||||
|
current_checksum.present? && newest_committed[:checksum].present?
|
||||||
|
problem(
|
||||||
|
"stable sha256 changed without the url/version also changing; " \
|
||||||
|
"please create an issue upstream to rule out malicious " \
|
||||||
|
"circumstances and to find out why the file changed.",
|
||||||
|
)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
def audit_text
|
def audit_text
|
||||||
bin_names = Set.new
|
bin_names = Set.new
|
||||||
bin_names << formula.name
|
bin_names << formula.name
|
||||||
|
|||||||
@ -1009,65 +1009,6 @@ module Homebrew
|
|||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
describe "checksums" do
|
|
||||||
describe "should not change with the same version" do
|
|
||||||
before do
|
|
||||||
formula_gsub(
|
|
||||||
'sha256 "31cccfc6630528db1c8e3a06f6decf2a370060b982841cfab2b8677400a5092e"',
|
|
||||||
'sha256 "3622d2a53236ed9ca62de0616a7e80fd477a9a3f862ba09d503da188f53ca523"',
|
|
||||||
)
|
|
||||||
end
|
|
||||||
|
|
||||||
it { is_expected.to match("stable sha256 changed without the url/version also changing") }
|
|
||||||
end
|
|
||||||
|
|
||||||
describe "should not change with the same version when not the first commit" do
|
|
||||||
before do
|
|
||||||
formula_gsub_origin_commit(
|
|
||||||
'sha256 "31cccfc6630528db1c8e3a06f6decf2a370060b982841cfab2b8677400a5092e"',
|
|
||||||
'sha256 "3622d2a53236ed9ca62de0616a7e80fd477a9a3f862ba09d503da188f53ca523"',
|
|
||||||
)
|
|
||||||
formula_gsub_origin_commit "revision 2"
|
|
||||||
formula_gsub_origin_commit "foo-1.0.tar.gz", "foo-1.1.tar.gz"
|
|
||||||
formula_gsub(
|
|
||||||
'sha256 "3622d2a53236ed9ca62de0616a7e80fd477a9a3f862ba09d503da188f53ca523"',
|
|
||||||
'sha256 "e048c5e6144f5932d8672c2fade81d9073d5b3ca1517b84df006de3d25414fc1"',
|
|
||||||
)
|
|
||||||
end
|
|
||||||
|
|
||||||
it { is_expected.to match("stable sha256 changed without the url/version also changing") }
|
|
||||||
end
|
|
||||||
|
|
||||||
describe "can change with the different version" do
|
|
||||||
before do
|
|
||||||
formula_gsub_origin_commit(
|
|
||||||
'sha256 "31cccfc6630528db1c8e3a06f6decf2a370060b982841cfab2b8677400a5092e"',
|
|
||||||
'sha256 "3622d2a53236ed9ca62de0616a7e80fd477a9a3f862ba09d503da188f53ca523"',
|
|
||||||
)
|
|
||||||
formula_gsub "foo-1.0.tar.gz", "foo-1.1.tar.gz"
|
|
||||||
formula_gsub_origin_commit(
|
|
||||||
'sha256 "3622d2a53236ed9ca62de0616a7e80fd477a9a3f862ba09d503da188f53ca523"',
|
|
||||||
'sha256 "e048c5e6144f5932d8672c2fade81d9073d5b3ca1517b84df006de3d25414fc1"',
|
|
||||||
)
|
|
||||||
end
|
|
||||||
|
|
||||||
it { is_expected.to be_nil }
|
|
||||||
end
|
|
||||||
|
|
||||||
describe "can be removed when switching schemes" do
|
|
||||||
before do
|
|
||||||
formula_gsub_origin_commit(
|
|
||||||
'url "https://brew.sh/foo-1.0.tar.gz"',
|
|
||||||
'url "https://foo.com/brew/bar.git", tag: "1.0", revision: "f5e00e485e7aa4c5baa20355b27e3b84a6912790"',
|
|
||||||
)
|
|
||||||
formula_gsub_origin_commit('sha256 "31cccfc6630528db1c8e3a06f6decf2a370060b982841cfab2b8677400a5092e"',
|
|
||||||
"")
|
|
||||||
end
|
|
||||||
|
|
||||||
it { is_expected.to be_nil }
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
describe "revisions" do
|
describe "revisions" do
|
||||||
describe "should not be removed when first committed above 0" do
|
describe "should not be removed when first committed above 0" do
|
||||||
it { is_expected.to be_nil }
|
it { is_expected.to be_nil }
|
||||||
@ -1173,6 +1114,97 @@ module Homebrew
|
|||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
describe "#audit_unconfirmed_checksum_change" do
|
||||||
|
subject do
|
||||||
|
fa = described_class.new(Formulary.factory(formula_path), git: true)
|
||||||
|
fa.audit_unconfirmed_checksum_change
|
||||||
|
fa.problems.first&.fetch(:message)
|
||||||
|
end
|
||||||
|
|
||||||
|
before do
|
||||||
|
origin_formula_path.dirname.mkpath
|
||||||
|
origin_formula_path.write <<~RUBY
|
||||||
|
class Foo#{foo_version} < Formula
|
||||||
|
url "https://brew.sh/foo-1.0.tar.gz"
|
||||||
|
sha256 "31cccfc6630528db1c8e3a06f6decf2a370060b982841cfab2b8677400a5092e"
|
||||||
|
revision 2
|
||||||
|
version_scheme 1
|
||||||
|
end
|
||||||
|
RUBY
|
||||||
|
|
||||||
|
origin_tap_path.mkpath
|
||||||
|
origin_tap_path.cd do
|
||||||
|
system "git", "init"
|
||||||
|
system "git", "add", "--all"
|
||||||
|
system "git", "commit", "-m", "init"
|
||||||
|
end
|
||||||
|
|
||||||
|
tap_path.mkpath
|
||||||
|
tap_path.cd do
|
||||||
|
system "git", "clone", origin_tap_path, "."
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
describe "checksums" do
|
||||||
|
describe "should not change with the same version" do
|
||||||
|
before do
|
||||||
|
formula_gsub(
|
||||||
|
'sha256 "31cccfc6630528db1c8e3a06f6decf2a370060b982841cfab2b8677400a5092e"',
|
||||||
|
'sha256 "3622d2a53236ed9ca62de0616a7e80fd477a9a3f862ba09d503da188f53ca523"',
|
||||||
|
)
|
||||||
|
end
|
||||||
|
|
||||||
|
it { is_expected.to match("stable sha256 changed without the url/version also changing") }
|
||||||
|
end
|
||||||
|
|
||||||
|
describe "should not change with the same version when not the first commit" do
|
||||||
|
before do
|
||||||
|
formula_gsub_origin_commit(
|
||||||
|
'sha256 "31cccfc6630528db1c8e3a06f6decf2a370060b982841cfab2b8677400a5092e"',
|
||||||
|
'sha256 "3622d2a53236ed9ca62de0616a7e80fd477a9a3f862ba09d503da188f53ca523"',
|
||||||
|
)
|
||||||
|
formula_gsub_origin_commit "revision 2"
|
||||||
|
formula_gsub_origin_commit "foo-1.0.tar.gz", "foo-1.1.tar.gz"
|
||||||
|
formula_gsub(
|
||||||
|
'sha256 "3622d2a53236ed9ca62de0616a7e80fd477a9a3f862ba09d503da188f53ca523"',
|
||||||
|
'sha256 "e048c5e6144f5932d8672c2fade81d9073d5b3ca1517b84df006de3d25414fc1"',
|
||||||
|
)
|
||||||
|
end
|
||||||
|
|
||||||
|
it { is_expected.to match("stable sha256 changed without the url/version also changing") }
|
||||||
|
end
|
||||||
|
|
||||||
|
describe "can change with the different version" do
|
||||||
|
before do
|
||||||
|
formula_gsub_origin_commit(
|
||||||
|
'sha256 "31cccfc6630528db1c8e3a06f6decf2a370060b982841cfab2b8677400a5092e"',
|
||||||
|
'sha256 "3622d2a53236ed9ca62de0616a7e80fd477a9a3f862ba09d503da188f53ca523"',
|
||||||
|
)
|
||||||
|
formula_gsub "foo-1.0.tar.gz", "foo-1.1.tar.gz"
|
||||||
|
formula_gsub_origin_commit(
|
||||||
|
'sha256 "3622d2a53236ed9ca62de0616a7e80fd477a9a3f862ba09d503da188f53ca523"',
|
||||||
|
'sha256 "e048c5e6144f5932d8672c2fade81d9073d5b3ca1517b84df006de3d25414fc1"',
|
||||||
|
)
|
||||||
|
end
|
||||||
|
|
||||||
|
it { is_expected.to be_nil }
|
||||||
|
end
|
||||||
|
|
||||||
|
describe "can be removed when switching schemes" do
|
||||||
|
before do
|
||||||
|
formula_gsub_origin_commit(
|
||||||
|
'url "https://brew.sh/foo-1.0.tar.gz"',
|
||||||
|
'url "https://foo.com/brew/bar.git", tag: "1.0", revision: "f5e00e485e7aa4c5baa20355b27e3b84a6912790"',
|
||||||
|
)
|
||||||
|
formula_gsub_origin_commit('sha256 "31cccfc6630528db1c8e3a06f6decf2a370060b982841cfab2b8677400a5092e"',
|
||||||
|
"")
|
||||||
|
end
|
||||||
|
|
||||||
|
it { is_expected.to be_nil }
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
describe "#audit_versioned_keg_only" do
|
describe "#audit_versioned_keg_only" do
|
||||||
specify "it warns when a versioned formula is not `keg_only`" do
|
specify "it warns when a versioned formula is not `keg_only`" do
|
||||||
fa = formula_auditor "foo@1.1", <<~RUBY, core_tap: true
|
fa = formula_auditor "foo@1.1", <<~RUBY, core_tap: true
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user