shasum check for uploaded tarballs

2024-12-30 22:34:10 -05:00 · 2013-10-22 11:45:19 +04:00 · 2013-10-22 11:45:19 +04:00 · 78f856cf81
commit 78f856cf81
parent 61658cfbdc
2 changed files with 36 additions and 6 deletions
--- a/lib/local-storage.js
+++ b/lib/local-storage.js
@ -154,6 +154,23 @@ Storage.prototype.add_version = function(name, version, metadata, tag, callback)
 			}))
 		}

+		// if uploaded tarball has a different shasum, it's very likely that we have some kind of error
+		if (utils.is_object(metadata.dist) && typeof(metadata.dist.tarball) === 'string') {
+			var tarball = metadata.dist.tarball.replace(/.*\//, '')
+			if (utils.is_object(data._attachments[tarball])) {
+				if (data._attachments[tarball].shasum != null && metadata.dist.shasum != null) {
+					if (data._attachments[tarball].shasum != metadata.dist.shasum) {
+						return cb(new UError({
+							status: 400,
+							msg: 'shasum error, ' + data._attachments[tarball].shasum + ' != ' + metadata.dist.shasum,
+						}))
+					}
+				}
+
+				data._attachments[tarball].version = version
+			}
+		}
+
 		data.versions[version] = metadata
 		data['dist-tags'][tag] = version
 		cb()
--- a/test/basic.js
+++ b/test/basic.js
@ -1,8 +1,9 @@
-var assert = require('assert');
-var readfile = require('fs').readFileSync;
-var ex = module.exports;
-var server = process.server;
-var server2 = process.server2;
+var assert = require('assert')
+  , readfile = require('fs').readFileSync
+  , crypto = require('crypto')
+  , ex = module.exports
+  , server = process.server
+  , server2 = process.server2

 ex['trying to fetch non-existent package'] = function(cb) {
 	server.get_package('testpkg', function(res, body) {
@ -67,8 +68,20 @@ ex['uploading new package version for bad pkg'] = function(cb) {
 	});
 };

+ex['uploading new package version (bad sha)'] = function(cb) {
+	var pkg = require('./lib/package')('testpkg')
+	pkg.dist.shasum = crypto.createHash('sha1').update('fake').digest('hex')
+	server.put_version('testpkg', '0.0.1', pkg, function(res, body) {
+		assert.equal(res.statusCode, 400);
+		assert(~body.error.indexOf('shasum error'));
+		cb();
+	});
+};
+
 ex['uploading new package version'] = function(cb) {
-	server.put_version('testpkg', '0.0.1', require('./lib/package')('testpkg'), function(res, body) {
+	var pkg = require('./lib/package')('testpkg')
+	pkg.dist.shasum = crypto.createHash('sha1').update(readfile('fixtures/binary')).digest('hex')
+	server.put_version('testpkg', '0.0.1', pkg, function(res, body) {
 		assert.equal(res.statusCode, 201);
 		assert(~body.ok.indexOf('published'));
 		cb();