diff options
Diffstat (limited to 'cli/npm')
| -rw-r--r-- | cli/npm/registry.rs | 28 | ||||
| -rw-r--r-- | cli/npm/resolution/snapshot.rs | 6 | ||||
| -rw-r--r-- | cli/npm/tarball.rs | 26 |
3 files changed, 40 insertions, 20 deletions
diff --git a/cli/npm/registry.rs b/cli/npm/registry.rs index ed0911697..0b35079de 100644 --- a/cli/npm/registry.rs +++ b/cli/npm/registry.rs @@ -1,5 +1,6 @@ // Copyright 2018-2023 the Deno authors. All rights reserved. MIT license. +use std::borrow::Cow; use std::cmp::Ordering; use std::collections::HashMap; use std::collections::HashSet; @@ -178,8 +179,31 @@ impl NpmPackageVersionInfo { pub struct NpmPackageVersionDistInfo { /// URL to the tarball. pub tarball: String, - pub shasum: String, - pub integrity: Option<String>, + shasum: String, + integrity: Option<String>, +} + +impl NpmPackageVersionDistInfo { + #[cfg(test)] + pub fn new( + tarball: String, + shasum: String, + integrity: Option<String>, + ) -> Self { + Self { + tarball, + shasum, + integrity, + } + } + + pub fn integrity(&self) -> Cow<String> { + self + .integrity + .as_ref() + .map(Cow::Borrowed) + .unwrap_or_else(|| Cow::Owned(format!("sha1-{}", self.shasum))) + } } pub trait NpmRegistryApi: Clone + Sync + Send + 'static { diff --git a/cli/npm/resolution/snapshot.rs b/cli/npm/resolution/snapshot.rs index d7da35eba..ad6aee6d9 100644 --- a/cli/npm/resolution/snapshot.rs +++ b/cli/npm/resolution/snapshot.rs @@ -275,11 +275,7 @@ impl NpmResolutionSnapshot { id: package_id.clone(), copy_index: copy_index_resolver.resolve(&package_id), // temporary dummy value - dist: NpmPackageVersionDistInfo { - tarball: "foobar".to_string(), - shasum: "foobar".to_string(), - integrity: Some("foobar".to_string()), - }, + dist: NpmPackageVersionDistInfo::default(), dependencies, }; diff --git a/cli/npm/tarball.rs b/cli/npm/tarball.rs index 504d44dca..7fce69cda 100644 --- a/cli/npm/tarball.rs +++ b/cli/npm/tarball.rs @@ -21,16 +21,7 @@ pub fn verify_and_extract_tarball( dist_info: &NpmPackageVersionDistInfo, output_folder: &Path, ) -> Result<(), AnyError> { - if let Some(integrity) = &dist_info.integrity { - verify_tarball_integrity(package, data, integrity)?; - } else { - // todo(dsherret): check shasum here - bail!( - "Errored on '{}@{}': npm packages with no integrity are not implemented.", - package.0, - package.1, - ); - } + verify_tarball_integrity(package, data, &dist_info.integrity())?; with_folder_sync_lock(package, output_folder, || { extract_tarball(data, output_folder) @@ -43,11 +34,11 @@ fn verify_tarball_integrity( npm_integrity: &str, ) -> Result<(), AnyError> { use ring::digest::Context; - use ring::digest::SHA512; let (algo, expected_checksum) = match npm_integrity.split_once('-') { Some((hash_kind, checksum)) => { let algo = match hash_kind { - "sha512" => &SHA512, + "sha512" => &ring::digest::SHA512, + "sha1" => &ring::digest::SHA1_FOR_LEGACY_USE_ONLY, hash_kind => bail!( "Not implemented hash function for {}@{}: {}", package.0, @@ -145,10 +136,19 @@ mod test { "Not implemented integrity kind for package@1.0.0: test", ); assert_eq!( + verify_tarball_integrity(package, &Vec::new(), "notimplemented-test") + .unwrap_err() + .to_string(), + "Not implemented hash function for package@1.0.0: notimplemented", + ); + assert_eq!( verify_tarball_integrity(package, &Vec::new(), "sha1-test") .unwrap_err() .to_string(), - "Not implemented hash function for package@1.0.0: sha1", + concat!( + "Tarball checksum did not match what was provided by npm ", + "registry for package@1.0.0.\n\nExpected: test\nActual: 2jmj7l5rsw0yvb/vlwaykk/ybwk=", + ), ); assert_eq!( verify_tarball_integrity(package, &Vec::new(), "sha512-test") |