Prevents loading the cache if the stored integrity doesnt match

yarnpkg · Sep 28, 2019 · 0474b8c · 0474b8c
1 parent 7f606ec
commit 0474b8c
Showing 1 changed file with 12 additions and 3 deletions.
diff --git a/src/package-fetcher.js b/src/package-fetcher.js
@@ -9,8 +9,17 @@ import * as fetchers from './fetchers/index.js';
 import * as fs from './util/fs.js';
 import * as promise from './util/promise.js';
 
-async function fetchCache(dest: string, fetcher: Fetchers, config: Config): Promise<FetchedMetadata> {
-  const {hash, package: pkg} = await config.readPackageMetadata(dest);
+const ssri = require('ssri');
+
+async function fetchCache(dest: string, fetcher: Fetchers, config: Config, integrity: ?string): Promise<FetchedMetadata> {
+  const {hash, package: pkg, remote} = await config.readPackageMetadata(dest);
+
+  if (integrity) {
+    if (!remote.integrity || !ssri.parse(integrity).match(remote.integrity)) {
+      throw new MessageError('Incorrect integrity when fetching from the cache');
+    }
+  }
+
   await fetcher.setupMirrorFromCache();
   return {
     package: pkg,
@@ -40,7 +49,7 @@ export async function fetchOneRemote(
 
   const fetcher = new Fetcher(dest, remote, config);
   if (await config.isValidModuleDest(dest)) {
-    return fetchCache(dest, fetcher, config);
+      return fetchCache(dest, fetcher, config, remote.integrity);
   }
 
   // remove as the module may be invalid