Verified Commit e7f1fdac authored by Karel Koci's avatar Karel Koci 🤘
Browse files

Make missing package hashes in repository index fatal

This changes default behavior for security reasons. The idea is to fail
if package can't be verified from repository index as there is no hash
supported to use for that. This prevents issue that packages can be
potentially even falsified if index contains hashes unsupported by
updater or even no hash at all.

New extra argument was added to Repository command `pkg_hash_required`.
This is considered in default as set to `true` but it can be
overwritten and set to `false` to disable new behavior.

This new behavior is reported by new feature in updater language:
fatal_missing_pkg_hash
parent 99177d34
......@@ -4,6 +4,15 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## [Unreleased]
### Added
- extra argument `pkg_hash_required` for `Repository` command
### Changed
- Execution is now terminated when there is no hash for package being installed in
repository index unless `pkg_hash_required` is set to `false` for that
repository.
## [68.0.0] - 2020-11-06
### Added
- Queue messages for 'upgrade' and 'downgrade' now also prints current version in
......
......@@ -259,6 +259,11 @@ optional::
any reason or to parse it. This can be due to missing resource or invalid
verification but in both cases this is not fatal for updater execution and it
continues without this repository.
pkg_hash_required::
You can set this to `false` to disable error when package has no supported hash
in the origin repository index. You want to set this to `false` most likely
because you do not need verification of packages (for example in case of
`file://` protocol).
sig::
pubkey::
ca::
......@@ -595,6 +600,9 @@ no_error_virtual::
package fulfilled.
request_condition::
`Install` and `Uninstall` requests support `condition` extra field.
fatal_missing_pkg_hash::
Missing or no supported hash for package in repository index is considered as
fatal error now.
installed
~~~~~~~~~
......
......@@ -247,6 +247,7 @@ local allowed_repository_extras = {
["index"] = utils.arr2set({"string"}),
["priority"] = utils.arr2set({"number"}),
["optional"] = utils.arr2set({"boolean"}),
["pkg_hash_required"] = utils.arr2set({"boolean"}),
["subdirs"] = utils.arr2set({"table"}), -- obsolete
["ignore"] = utils.arr2set({"table"}), -- obsolete
}
......@@ -287,6 +288,7 @@ function repository(context, name, repo_uri, extra)
repo_uri = repo_uri,
name = repo_name,
serial = repo_serial,
pkg_hash_required = true,
}
utils.table_merge(repo, extra)
repo.priority = extra.priority or 50
......
......@@ -55,7 +55,8 @@ local updater_features = utils.arr2set({
'relative_uri',
'no_returns',
'no_error_virtual',
'request_condition'
'request_condition',
'fatal_missing_pkg_hash',
})
-- Available functions and "constants" from global environment
......
......@@ -123,7 +123,14 @@ function package_verify(task)
package_verify_single(md5_file, "MD5Sum")
package_verify_single(sha256_file, "SHA256Sum") -- This is supported only by updater (introduced as a fault)
package_verify_single(sha256_file, "SHA256sum")
return verified
if not verified then
if task.package.repo.pkg_hash_required then
error(utils.exception("corruption",
"There is not supported hash in repository index to verify package: " + task.name))
else
WARN("Package has no hash in index to verify it: " + task.name)
end
end
end
-- Download all packages and push tasks to transaction
......@@ -151,9 +158,7 @@ function tasks_to_transaction()
for _, task in ipairs(tasks) do
if task.action == "require" then
task.real_uri:finish()
if not package_verify(task) then
WARN("Package has no hash in index to verify it: " + task.name)
end
package_verify(task)
transaction.queue_install_downloaded(task.file, task.name, task.package.Version, task.modifier)
elseif task.action == "remove" then
transaction.queue_remove(task.name)
......
......@@ -73,6 +73,7 @@ local example_output = {
}
},
name = "test1",
pkg_hash_required = true,
priority = 50,
repo_uri = "file://" .. datadir .. "/repo",
serial = 1,
......@@ -123,6 +124,7 @@ function test_get_repos_broken_nonfatal()
optional = true,
name = "test1",
repo_uri = "http://example.org/test1",
pkg_hash_required = true,
priority = 50,
serial = 1,
tp = "failed-repository"
......
......@@ -69,6 +69,7 @@ function test_repository()
name = "test-repo",
repo_uri = "http://example.org/repo",
priority = 50,
pkg_hash_required = true,
serial = 1
},
["test-repo-2-a"] = {
......@@ -77,6 +78,7 @@ function test_repository()
repo_uri = "http://example.org/repo-2",
subdirs = {'a', 'b'},
priority = 60,
pkg_hash_required = true,
serial = 2
},
["test-repo-2-b"] = {
......@@ -85,6 +87,7 @@ function test_repository()
repo_uri = "http://example.org/repo-2",
subdirs = {'a', 'b'},
priority = 60,
pkg_hash_required = true,
serial = 3
},
["test-repo-other"] = {
......@@ -93,6 +96,7 @@ function test_repository()
repo_uri = "http://example.org/repo-other",
index = "https://example.org/repo-other/Packages.gz",
priority = 50,
pkg_hash_required = true,
serial = 4
}
}, requests.known_repositories)
......
......@@ -35,11 +35,14 @@ local verify_task = {
MD5Sum = "182171ccacfc32a9f684479509ac471a",
SHA256sum = "4f54362b30f53ae6862b11ff34d22a8d4510ed2b3e757b1f285dbd1033666e55",
SHA256Sum = "4f54362b30f53ae6862b11ff34d22a8d4510ed2b3e757b1f285dbd1033666e55",
repo = {
pkg_hash_required = true
}
},
}
function test_package_verify_valid()
assert(updater.package_verify(verify_task))
updater.package_verify(verify_task)
end
function test_package_verify_invalid_md5()
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment