From 6a7e5f2e9d47398ae63d699e1acc251202a824e0 Mon Sep 17 00:00:00 2001
From: Mike McQuaid <mike@mikemcquaid.com>
Date: Fri, 3 Jul 2020 09:21:49 +0100
Subject: [PATCH] dev-cmd/audit: tweak checksum audit.

Compare against the latest `origin/master` checksum rather than
whatever the previous one was.
---
 Library/Homebrew/dev-cmd/audit.rb           |  5 +-
 Library/Homebrew/test/dev-cmd/audit_spec.rb | 68 +++++++++++++++------
 2 files changed, 52 insertions(+), 21 deletions(-)

diff --git a/Library/Homebrew/dev-cmd/audit.rb b/Library/Homebrew/dev-cmd/audit.rb
index 8c2beedfca..6992748eb8 100644
--- a/Library/Homebrew/dev-cmd/audit.rb
+++ b/Library/Homebrew/dev-cmd/audit.rb
@@ -747,11 +747,11 @@ module Homebrew
       current_revision = formula.revision
 
       previous_version = nil
-      previous_checksum = nil
       previous_version_scheme = nil
       previous_revision = nil
 
       newest_committed_version = nil
+      newest_committed_checksum = nil
       newest_committed_revision = nil
 
       fv.rev_list("origin/master") do |rev|
@@ -765,6 +765,7 @@ module Homebrew
           previous_revision = f.revision
 
           newest_committed_version ||= previous_version
+          newest_committed_checksum ||= previous_checksum
           newest_committed_revision ||= previous_revision
         end
 
@@ -772,7 +773,7 @@ module Homebrew
       end
 
       if current_version == previous_version &&
-         current_checksum != previous_checksum
+         current_checksum != newest_committed_checksum
         problem(
           "stable sha256 changed without the version also changing; " \
           "please create an issue upstream to rule out malicious " \
diff --git a/Library/Homebrew/test/dev-cmd/audit_spec.rb b/Library/Homebrew/test/dev-cmd/audit_spec.rb
index c1418223c5..a7b770592f 100644
--- a/Library/Homebrew/test/dev-cmd/audit_spec.rb
+++ b/Library/Homebrew/test/dev-cmd/audit_spec.rb
@@ -363,6 +363,7 @@ module Homebrew
         origin_formula_path.write <<~RUBY
           class Foo#{foo_version} < Formula
             url "https://brew.sh/foo-1.0.tar.gz"
+            sha256 "31cccfc6630528db1c8e3a06f6decf2a370060b982841cfab2b8677400a5092e"
             revision 2
             version_scheme 1
           end
@@ -388,7 +389,7 @@ module Homebrew
         formula_path.write text
       end
 
-      def formula_gsub_commit(before, after = "")
+      def formula_gsub_origin_commit(before, after = "")
         text = origin_formula_path.read
         text.gsub!(before, after)
         origin_formula_path.unlink
@@ -404,19 +405,48 @@ module Homebrew
         end
       end
 
+      context "checksums" do
+        context "should not change with the same version" do
+          before do
+            formula_gsub(
+              'sha256 "31cccfc6630528db1c8e3a06f6decf2a370060b982841cfab2b8677400a5092e"',
+              'sha256 "3622d2a53236ed9ca62de0616a7e80fd477a9a3f862ba09d503da188f53ca523"',
+            )
+          end
+
+          it { is_expected.to match("stable sha256 changed without the version also changing") }
+        end
+
+        context "can change with the different version" do
+          before do
+            formula_gsub_origin_commit(
+              'sha256 "31cccfc6630528db1c8e3a06f6decf2a370060b982841cfab2b8677400a5092e"',
+              'sha256 "3622d2a53236ed9ca62de0616a7e80fd477a9a3f862ba09d503da188f53ca523"',
+            )
+            formula_gsub "foo-1.0.tar.gz", "foo-1.1.tar.gz"
+            formula_gsub_origin_commit(
+              'sha256 "3622d2a53236ed9ca62de0616a7e80fd477a9a3f862ba09d503da188f53ca523"',
+              'sha256 "e048c5e6144f5932d8672c2fade81d9073d5b3ca1517b84df006de3d25414fc1"',
+            )
+          end
+
+          it { is_expected.to be_nil }
+        end
+      end
+
       context "revisions" do
         context "should not be removed when first committed above 0" do
           it { is_expected.to be_nil }
         end
 
         context "should not decrease with the same version" do
-          before { formula_gsub_commit "revision 2", "revision 1" }
+          before { formula_gsub_origin_commit "revision 2", "revision 1" }
 
           it { is_expected.to match("revision should not decrease (from 2 to 1)") }
         end
 
         context "should not be removed with the same version" do
-          before { formula_gsub_commit "revision 2" }
+          before { formula_gsub_origin_commit "revision 2" }
 
           it { is_expected.to match("revision should not decrease (from 2 to 0)") }
         end
@@ -428,15 +458,15 @@ module Homebrew
         end
 
         context "should be removed with a newer version" do
-          before { formula_gsub_commit "foo-1.0.tar.gz", "foo-1.1.tar.gz" }
+          before { formula_gsub_origin_commit "foo-1.0.tar.gz", "foo-1.1.tar.gz" }
 
           it { is_expected.to match("'revision 2' should be removed") }
         end
 
         context "should not warn on an newer version revision removal" do
           before do
-            formula_gsub_commit "revision 2", ""
-            formula_gsub_commit "foo-1.0.tar.gz", "foo-1.1.tar.gz"
+            formula_gsub_origin_commit "revision 2", ""
+            formula_gsub_origin_commit "foo-1.0.tar.gz", "foo-1.1.tar.gz"
           end
 
           it { is_expected.to be_nil }
@@ -453,9 +483,9 @@ module Homebrew
 
         context "should not warn on past increment by more than 1" do
           before do
-            formula_gsub_commit "revision 2", "# no revision"
-            formula_gsub_commit "foo-1.0.tar.gz", "foo-1.1.tar.gz"
-            formula_gsub_commit "# no revision", "revision 3"
+            formula_gsub_origin_commit "revision 2", "# no revision"
+            formula_gsub_origin_commit "foo-1.0.tar.gz", "foo-1.1.tar.gz"
+            formula_gsub_origin_commit "# no revision", "revision 3"
           end
 
           it { is_expected.to be_nil }
@@ -464,16 +494,16 @@ module Homebrew
 
       context "version_schemes" do
         context "should not decrease with the same version" do
-          before { formula_gsub_commit "version_scheme 1" }
+          before { formula_gsub_origin_commit "version_scheme 1" }
 
           it { is_expected.to match("version_scheme should not decrease (from 1 to 0)") }
         end
 
         context "should not decrease with a new version" do
           before do
-            formula_gsub_commit "foo-1.0.tar.gz", "foo-1.1.tar.gz"
-            formula_gsub_commit "version_scheme 1", ""
-            formula_gsub_commit "revision 2", ""
+            formula_gsub_origin_commit "foo-1.0.tar.gz", "foo-1.1.tar.gz"
+            formula_gsub_origin_commit "version_scheme 1", ""
+            formula_gsub_origin_commit "revision 2", ""
           end
 
           it { is_expected.to match("version_scheme should not decrease (from 1 to 0)") }
@@ -481,10 +511,10 @@ module Homebrew
 
         context "should only increment by 1" do
           before do
-            formula_gsub_commit "version_scheme 1", "# no version_scheme"
-            formula_gsub_commit "foo-1.0.tar.gz", "foo-1.1.tar.gz"
-            formula_gsub_commit "revision 2", ""
-            formula_gsub_commit "# no version_scheme", "version_scheme 3"
+            formula_gsub_origin_commit "version_scheme 1", "# no version_scheme"
+            formula_gsub_origin_commit "foo-1.0.tar.gz", "foo-1.1.tar.gz"
+            formula_gsub_origin_commit "revision 2", ""
+            formula_gsub_origin_commit "# no version_scheme", "version_scheme 3"
           end
 
           it { is_expected.to match("version_schemes should only increment by 1") }
@@ -500,8 +530,8 @@ module Homebrew
 
         context "committed can decrease" do
           before do
-            formula_gsub_commit "revision 2"
-            formula_gsub_commit "foo-1.0.tar.gz", "foo-0.9.tar.gz"
+            formula_gsub_origin_commit "revision 2"
+            formula_gsub_origin_commit "foo-1.0.tar.gz", "foo-0.9.tar.gz"
           end
 
           it { is_expected.to be_nil }