Skip to content

Commit

Permalink
Correctly detect and classify tag object hashes (thanks @diabonas)
Browse files Browse the repository at this point in the history
  • Loading branch information
@kpcyrd
kpcyrd committed May 30, 2022
1 parent b54ba3d commit ada3c9e
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 5 deletions.
18 changes: 14 additions & 4 deletions src/fsck.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -98,13 +98,19 @@ struct GitSource {
impl GitSource {
fn is_commit_securely_pinned(&self) -> bool {
if let Some(commit) = &self.commit {
commit.len() == 40
is_git_object_hash(commit)
} else if let Some(tag) = &self.tag {
is_git_object_hash(tag)
} else {
false
}
}
}

fn is_git_object_hash(name: &str) -> bool {
name.len() == 40 && name.chars().all(|c| matches!(c, '0'..='9' | 'a'..='f'))
}

impl FromStr for GitSource {
type Err = Error;

Expand Down Expand Up @@ -275,9 +281,13 @@ pub async fn check_pkg(pkg: &str, work_dir: Option<PathBuf>, discover_sigs: bool

if discover_sigs {
if let Some(upstream) = github::detect_signed_tag_from_url(&source.url)? {
let tag =
github::fetch_tag(&client, &upstream.owner, &upstream.name, &upstream.tag)
.await?;
let tag = github::fetch_tag(
&client,
&upstream.owner,
&upstream.name,
&upstream.tag,
)
.await?;
if tag.object.r#type == "tag" {
info!(
"✨ There's likely a signed tag here we could use: {:?}",
Expand Down
4 changes: 3 additions & 1 deletion src/main.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,9 @@ async fn main() -> Result<()> {
for pkg in pkgs {
info!("Checking {:?}", pkg);

if let Err(err) = fsck::check_pkg(&pkg, check.work_dir.clone(), check.discover_sigs).await {
if let Err(err) =
fsck::check_pkg(&pkg, check.work_dir.clone(), check.discover_sigs).await
{
error!("Failed to check package: {:?} => {:#}", pkg, err);
}
}
Expand Down

0 comments on commit ada3c9e

Please sign in to comment.