Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dev-cmd/audit: tweak checksum audit. #7882

Merged
merged 1 commit into from
Jul 3, 2020
Merged

dev-cmd/audit: tweak checksum audit. #7882

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
5 changes: 3 additions & 2 deletions Library/Homebrew/dev-cmd/audit.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -747,11 +747,11 @@ def audit_revision_and_version_scheme
current_revision = formula.revision

previous_version = nil
previous_checksum = nil
previous_version_scheme = nil
previous_revision = nil

newest_committed_version = nil
newest_committed_checksum = nil
newest_committed_revision = nil

fv.rev_list("origin/master") do |rev|
Expand All @@ -765,14 +765,15 @@ def audit_revision_and_version_scheme
previous_revision = f.revision

newest_committed_version ||= previous_version
newest_committed_checksum ||= previous_checksum
newest_committed_revision ||= previous_revision
end

break if previous_version && current_version != previous_version
end

if current_version == previous_version &&
current_checksum != previous_checksum
current_checksum != newest_committed_checksum
problem(
"stable sha256 changed without the version also changing; " \
"please create an issue upstream to rule out malicious " \
Expand Down
68 changes: 49 additions & 19 deletions Library/Homebrew/test/dev-cmd/audit_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -363,6 +363,7 @@ class Foo < Formula
origin_formula_path.write <<~RUBY
class Foo#{foo_version} < Formula
url "https://brew.sh/foo-1.0.tar.gz"
sha256 "31cccfc6630528db1c8e3a06f6decf2a370060b982841cfab2b8677400a5092e"
revision 2
version_scheme 1
end
Expand All @@ -388,7 +389,7 @@ def formula_gsub(before, after = "")
formula_path.write text
end

def formula_gsub_commit(before, after = "")
def formula_gsub_origin_commit(before, after = "")
text = origin_formula_path.read
text.gsub!(before, after)
origin_formula_path.unlink
Expand All @@ -404,19 +405,48 @@ def formula_gsub_commit(before, after = "")
end
end

context "checksums" do
context "should not change with the same version" do
before do
formula_gsub(
'sha256 "31cccfc6630528db1c8e3a06f6decf2a370060b982841cfab2b8677400a5092e"',
'sha256 "3622d2a53236ed9ca62de0616a7e80fd477a9a3f862ba09d503da188f53ca523"',
)
end

it { is_expected.to match("stable sha256 changed without the version also changing") }
end

context "can change with the different version" do
before do
formula_gsub_origin_commit(
'sha256 "31cccfc6630528db1c8e3a06f6decf2a370060b982841cfab2b8677400a5092e"',
'sha256 "3622d2a53236ed9ca62de0616a7e80fd477a9a3f862ba09d503da188f53ca523"',
)
formula_gsub "foo-1.0.tar.gz", "foo-1.1.tar.gz"
formula_gsub_origin_commit(
'sha256 "3622d2a53236ed9ca62de0616a7e80fd477a9a3f862ba09d503da188f53ca523"',
'sha256 "e048c5e6144f5932d8672c2fade81d9073d5b3ca1517b84df006de3d25414fc1"',
)
end

it { is_expected.to be_nil }
end
end

context "revisions" do
context "should not be removed when first committed above 0" do
it { is_expected.to be_nil }
end

context "should not decrease with the same version" do
before { formula_gsub_commit "revision 2", "revision 1" }
before { formula_gsub_origin_commit "revision 2", "revision 1" }

it { is_expected.to match("revision should not decrease (from 2 to 1)") }
end

context "should not be removed with the same version" do
before { formula_gsub_commit "revision 2" }
before { formula_gsub_origin_commit "revision 2" }

it { is_expected.to match("revision should not decrease (from 2 to 0)") }
end
Expand All @@ -428,15 +458,15 @@ def formula_gsub_commit(before, after = "")
end

context "should be removed with a newer version" do
before { formula_gsub_commit "foo-1.0.tar.gz", "foo-1.1.tar.gz" }
before { formula_gsub_origin_commit "foo-1.0.tar.gz", "foo-1.1.tar.gz" }

it { is_expected.to match("'revision 2' should be removed") }
end

context "should not warn on an newer version revision removal" do
before do
formula_gsub_commit "revision 2", ""
formula_gsub_commit "foo-1.0.tar.gz", "foo-1.1.tar.gz"
formula_gsub_origin_commit "revision 2", ""
formula_gsub_origin_commit "foo-1.0.tar.gz", "foo-1.1.tar.gz"
end

it { is_expected.to be_nil }
Expand All @@ -453,9 +483,9 @@ def formula_gsub_commit(before, after = "")

context "should not warn on past increment by more than 1" do
before do
formula_gsub_commit "revision 2", "# no revision"
formula_gsub_commit "foo-1.0.tar.gz", "foo-1.1.tar.gz"
formula_gsub_commit "# no revision", "revision 3"
formula_gsub_origin_commit "revision 2", "# no revision"
formula_gsub_origin_commit "foo-1.0.tar.gz", "foo-1.1.tar.gz"
formula_gsub_origin_commit "# no revision", "revision 3"
end

it { is_expected.to be_nil }
Expand All @@ -464,27 +494,27 @@ def formula_gsub_commit(before, after = "")

context "version_schemes" do
context "should not decrease with the same version" do
before { formula_gsub_commit "version_scheme 1" }
before { formula_gsub_origin_commit "version_scheme 1" }

it { is_expected.to match("version_scheme should not decrease (from 1 to 0)") }
end

context "should not decrease with a new version" do
before do
formula_gsub_commit "foo-1.0.tar.gz", "foo-1.1.tar.gz"
formula_gsub_commit "version_scheme 1", ""
formula_gsub_commit "revision 2", ""
formula_gsub_origin_commit "foo-1.0.tar.gz", "foo-1.1.tar.gz"
formula_gsub_origin_commit "version_scheme 1", ""
formula_gsub_origin_commit "revision 2", ""
end

it { is_expected.to match("version_scheme should not decrease (from 1 to 0)") }
end

context "should only increment by 1" do
before do
formula_gsub_commit "version_scheme 1", "# no version_scheme"
formula_gsub_commit "foo-1.0.tar.gz", "foo-1.1.tar.gz"
formula_gsub_commit "revision 2", ""
formula_gsub_commit "# no version_scheme", "version_scheme 3"
formula_gsub_origin_commit "version_scheme 1", "# no version_scheme"
formula_gsub_origin_commit "foo-1.0.tar.gz", "foo-1.1.tar.gz"
formula_gsub_origin_commit "revision 2", ""
formula_gsub_origin_commit "# no version_scheme", "version_scheme 3"
end

it { is_expected.to match("version_schemes should only increment by 1") }
Expand All @@ -500,8 +530,8 @@ def formula_gsub_commit(before, after = "")

context "committed can decrease" do
before do
formula_gsub_commit "revision 2"
formula_gsub_commit "foo-1.0.tar.gz", "foo-0.9.tar.gz"
formula_gsub_origin_commit "revision 2"
formula_gsub_origin_commit "foo-1.0.tar.gz", "foo-0.9.tar.gz"
end

it { is_expected.to be_nil }
Expand Down