From 8717f82b9d7d3a05e7411a12434551474d4212f1 Mon Sep 17 00:00:00 2001
From: Alexander Bayandin <a.bayandin@gmail.com>
Date: Tue, 8 Dec 2020 23:26:52 +0000
Subject: [PATCH] dev-cmd/audit: add audit for checksum

---
 Library/Homebrew/resource_auditor.rb        |  8 ++++
 Library/Homebrew/test/dev-cmd/audit_spec.rb | 50 +++++++++++++++++++--
 2 files changed, 54 insertions(+), 4 deletions(-)

diff --git a/Library/Homebrew/resource_auditor.rb b/Library/Homebrew/resource_auditor.rb
index 5e0e941a22..13fe554b69 100644
--- a/Library/Homebrew/resource_auditor.rb
+++ b/Library/Homebrew/resource_auditor.rb
@@ -26,6 +26,7 @@ module Homebrew
     def audit
       audit_version
       audit_download_strategy
+      audit_checksum
       audit_urls
       self
     end
@@ -72,6 +73,13 @@ module Homebrew
       problem "Redundant :using value in URL"
     end
 
+    def audit_checksum
+      return if spec_name == :head
+      return unless DownloadStrategyDetector.detect(url, using) <= CurlDownloadStrategy
+
+      problem "Checksum is missing" if checksum.blank?
+    end
+
     def self.curl_openssl_and_deps
       @curl_openssl_and_deps ||= begin
         formulae_names = ["curl", "openssl"]
diff --git a/Library/Homebrew/test/dev-cmd/audit_spec.rb b/Library/Homebrew/test/dev-cmd/audit_spec.rb
index d74a4ea33c..efd46f8e61 100644
--- a/Library/Homebrew/test/dev-cmd/audit_spec.rb
+++ b/Library/Homebrew/test/dev-cmd/audit_spec.rb
@@ -564,10 +564,46 @@ module Homebrew
       let(:throttle_list) { { throttled_formulae: { "foo" => 10 } } }
       let(:versioned_head_spec_list) { { versioned_head_spec_allowlist: ["foo"] } }
 
+      it "doesn't allow to miss a checksum" do
+        fa = formula_auditor "foo", <<~RUBY
+          class Foo < Formula
+            url "https://brew.sh/foo-1.0.tgz"
+          end
+        RUBY
+
+        fa.audit_specs
+        expect(fa.problems.first[:message]).to match "Checksum is missing"
+      end
+
+      it "allows to miss a checksum for git strategy" do
+        fa = formula_auditor "foo", <<~RUBY
+          class Foo < Formula
+            url "https://brew.sh/foo.git", tag: "1.0", revision: "f5e00e485e7aa4c5baa20355b27e3b84a6912790"
+          end
+        RUBY
+
+        fa.audit_specs
+        expect(fa.problems).to be_empty
+      end
+
+      it "allows to miss a checksum for HEAD" do
+        fa = formula_auditor "foo", <<~RUBY
+          class Foo < Formula
+            url "https://brew.sh/foo-1.0.tgz"
+            sha256 "31cccfc6630528db1c8e3a06f6decf2a370060b982841cfab2b8677400a5092e"
+            head "https://brew.sh/foo.tgz"
+          end
+        RUBY
+
+        fa.audit_specs
+        expect(fa.problems).to be_empty
+      end
+
       it "allows versions with no throttle rate" do
         fa = formula_auditor "bar", <<~RUBY, core_tap: true, tap_audit_exceptions: throttle_list
           class Bar < Formula
             url "https://brew.sh/foo-1.0.1.tgz"
+            sha256 "31cccfc6630528db1c8e3a06f6decf2a370060b982841cfab2b8677400a5092e"
           end
         RUBY
 
@@ -579,6 +615,7 @@ module Homebrew
         fa = formula_auditor "foo", <<~RUBY, core_tap: true, tap_audit_exceptions: throttle_list
           class Foo < Formula
             url "https://brew.sh/foo-1.0.0.tgz"
+            sha256 "31cccfc6630528db1c8e3a06f6decf2a370060b982841cfab2b8677400a5092e"
           end
         RUBY
 
@@ -590,6 +627,7 @@ module Homebrew
         fa = formula_auditor "foo", <<~RUBY, core_tap: true, tap_audit_exceptions: throttle_list
           class Foo < Formula
             url "https://brew.sh/foo-1.0.10.tgz"
+            sha256 "31cccfc6630528db1c8e3a06f6decf2a370060b982841cfab2b8677400a5092e"
           end
         RUBY
 
@@ -601,6 +639,7 @@ module Homebrew
         fa = formula_auditor "foo", <<~RUBY, core_tap: true, tap_audit_exceptions: throttle_list
           class Foo < Formula
             url "https://brew.sh/foo-1.0.1.tgz"
+            sha256 "31cccfc6630528db1c8e3a06f6decf2a370060b982841cfab2b8677400a5092e"
           end
         RUBY
 
@@ -612,7 +651,8 @@ module Homebrew
         fa = formula_auditor "bar", <<~RUBY, core_tap: true, tap_audit_exceptions: versioned_head_spec_list
           class Bar < Formula
             url "https://brew.sh/foo-1.0.tgz"
-            head "https://brew.sh/foo-1.0.tgz"
+            sha256 "31cccfc6630528db1c8e3a06f6decf2a370060b982841cfab2b8677400a5092e"
+            head "https://brew.sh/foo.git"
           end
         RUBY
 
@@ -624,7 +664,8 @@ module Homebrew
         fa = formula_auditor "bar@1", <<~RUBY, core_tap: true, tap_audit_exceptions: versioned_head_spec_list
           class BarAT1 < Formula
             url "https://brew.sh/foo-1.0.tgz"
-            head "https://brew.sh/foo-1.0.tgz"
+            sha256 "31cccfc6630528db1c8e3a06f6decf2a370060b982841cfab2b8677400a5092e"
+            head "https://brew.sh/foo.git"
           end
         RUBY
 
@@ -632,11 +673,12 @@ module Homebrew
         expect(fa.problems.first[:message]).to match "Versioned formulae should not have a `HEAD` spec"
       end
 
-      it "allows ersioned formulae on the allowlist to have a `HEAD` spec" do
+      it "allows versioned formulae on the allowlist to have a `HEAD` spec" do
         fa = formula_auditor "foo", <<~RUBY, core_tap: true, tap_audit_exceptions: versioned_head_spec_list
           class Foo < Formula
             url "https://brew.sh/foo-1.0.tgz"
-            head "https://brew.sh/foo-1.0.tgz"
+            sha256 "31cccfc6630528db1c8e3a06f6decf2a370060b982841cfab2b8677400a5092e"
+            head "https://brew.sh/foo.git"
           end
         RUBY