dev-cmd/audit: add audit for checksum

Homebrew · Dec 8, 2020 · 8717f82 · 8717f82
1 parent ddfd499
commit 8717f82
Show file tree

Hide file tree

Showing 2 changed files with 54 additions and 4 deletions.
diff --git a/Library/Homebrew/resource_auditor.rb b/Library/Homebrew/resource_auditor.rb
@@ -26,6 +26,7 @@ def initialize(resource, spec_name, options = {})
     def audit
       audit_version
       audit_download_strategy
+      audit_checksum
       audit_urls
       self
     end
@@ -72,6 +73,13 @@ def audit_download_strategy
       problem "Redundant :using value in URL"
     end
 
+    def audit_checksum
+      return if spec_name == :head
+      return unless DownloadStrategyDetector.detect(url, using) <= CurlDownloadStrategy
+
+      problem "Checksum is missing" if checksum.blank?
+    end
+
     def self.curl_openssl_and_deps
       @curl_openssl_and_deps ||= begin
         formulae_names = ["curl", "openssl"]

diff --git a/Library/Homebrew/test/dev-cmd/audit_spec.rb b/Library/Homebrew/test/dev-cmd/audit_spec.rb
@@ -564,10 +564,46 @@ class Foo < Formula
       let(:throttle_list) { { throttled_formulae: { "foo" => 10 } } }
       let(:versioned_head_spec_list) { { versioned_head_spec_allowlist: ["foo"] } }
 
+      it "doesn't allow to miss a checksum" do
+        fa = formula_auditor "foo", <<~RUBY
+          class Foo < Formula
+            url "https://brew.sh/foo-1.0.tgz"
+          end
+        RUBY
+
+        fa.audit_specs
+        expect(fa.problems.first[:message]).to match "Checksum is missing"
+      end
+
+      it "allows to miss a checksum for git strategy" do
+        fa = formula_auditor "foo", <<~RUBY
+          class Foo < Formula
+            url "https://brew.sh/foo.git", tag: "1.0", revision: "f5e00e485e7aa4c5baa20355b27e3b84a6912790"
+          end
+        RUBY
+
+        fa.audit_specs
+        expect(fa.problems).to be_empty
+      end
+
+      it "allows to miss a checksum for HEAD" do
+        fa = formula_auditor "foo", <<~RUBY
+          class Foo < Formula
+            url "https://brew.sh/foo-1.0.tgz"
+            sha256 "31cccfc6630528db1c8e3a06f6decf2a370060b982841cfab2b8677400a5092e"
+            head "https://brew.sh/foo.tgz"
+          end
+        RUBY
+
+        fa.audit_specs
+        expect(fa.problems).to be_empty
+      end
+
       it "allows versions with no throttle rate" do
         fa = formula_auditor "bar", <<~RUBY, core_tap: true, tap_audit_exceptions: throttle_list
           class Bar < Formula
             url "https://brew.sh/foo-1.0.1.tgz"
+            sha256 "31cccfc6630528db1c8e3a06f6decf2a370060b982841cfab2b8677400a5092e"
           end
         RUBY
 
@@ -579,6 +615,7 @@ class Bar < Formula
         fa = formula_auditor "foo", <<~RUBY, core_tap: true, tap_audit_exceptions: throttle_list
           class Foo < Formula
             url "https://brew.sh/foo-1.0.0.tgz"
+            sha256 "31cccfc6630528db1c8e3a06f6decf2a370060b982841cfab2b8677400a5092e"
           end
         RUBY
 
@@ -590,6 +627,7 @@ class Foo < Formula
         fa = formula_auditor "foo", <<~RUBY, core_tap: true, tap_audit_exceptions: throttle_list
           class Foo < Formula
             url "https://brew.sh/foo-1.0.10.tgz"
+            sha256 "31cccfc6630528db1c8e3a06f6decf2a370060b982841cfab2b8677400a5092e"
           end
         RUBY
 
@@ -601,6 +639,7 @@ class Foo < Formula
         fa = formula_auditor "foo", <<~RUBY, core_tap: true, tap_audit_exceptions: throttle_list
           class Foo < Formula
             url "https://brew.sh/foo-1.0.1.tgz"
+            sha256 "31cccfc6630528db1c8e3a06f6decf2a370060b982841cfab2b8677400a5092e"
           end
         RUBY
 
@@ -612,7 +651,8 @@ class Foo < Formula
         fa = formula_auditor "bar", <<~RUBY, core_tap: true, tap_audit_exceptions: versioned_head_spec_list
           class Bar < Formula
             url "https://brew.sh/foo-1.0.tgz"
-            head "https://brew.sh/foo-1.0.tgz"
+            sha256 "31cccfc6630528db1c8e3a06f6decf2a370060b982841cfab2b8677400a5092e"
+            head "https://brew.sh/foo.git"
           end
         RUBY
 
@@ -624,19 +664,21 @@ class Bar < Formula
         fa = formula_auditor "bar@1", <<~RUBY, core_tap: true, tap_audit_exceptions: versioned_head_spec_list
           class BarAT1 < Formula
             url "https://brew.sh/foo-1.0.tgz"
-            head "https://brew.sh/foo-1.0.tgz"
+            sha256 "31cccfc6630528db1c8e3a06f6decf2a370060b982841cfab2b8677400a5092e"
+            head "https://brew.sh/foo.git"
           end
         RUBY
 
         fa.audit_specs
         expect(fa.problems.first[:message]).to match "Versioned formulae should not have a `HEAD` spec"
       end
 
-      it "allows ersioned formulae on the allowlist to have a `HEAD` spec" do
+      it "allows versioned formulae on the allowlist to have a `HEAD` spec" do
         fa = formula_auditor "foo", <<~RUBY, core_tap: true, tap_audit_exceptions: versioned_head_spec_list
           class Foo < Formula
             url "https://brew.sh/foo-1.0.tgz"
-            head "https://brew.sh/foo-1.0.tgz"
+            sha256 "31cccfc6630528db1c8e3a06f6decf2a370060b982841cfab2b8677400a5092e"
+            head "https://brew.sh/foo.git"
           end
         RUBY