Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Use SHA-256 checksums from trusted mirrors only #493

Merged
merged 10 commits into from
Mar 7, 2022
Merged

[Security] Use SHA-256 checksums from trusted mirrors only #493

merged 10 commits into from
Mar 7, 2022

Conversation

ddalcino
Copy link
Contributor

@ddalcino ddalcino commented Feb 27, 2022
edited
Loading

This change causes aqt to use SHA-256 checksums for all downloads, and only download them from a list of trusted mirrors. By default, this list includes only https://download.qt.io, but the settings.ini file may be used to modify this list. The settings.ini file can also be used to set the number of times to retry the failed download of a checksum.

Partially addresses #488

Todo:

  • Require checksums for Updates.xml files

sonatype-lift[bot]
sonatype-lift bot reviewed Feb 27, 2022
View reviewed changes
aqt/helper.py Outdated Show resolved Hide resolved
ddalcino added 5 commits March 6, 2022 17:36
@ddalcino
Add setting for trusted_mirrors
b92ee99
@ddalcino
Use sha256 hashes only from trusted mirrors
7ebd6aa 
To keep this commit small, `hashurl` was removed from QtPackage, and
`get_hash` constructs the hash url based on the url of the 7z archive
to download. I think that in the future, QtArchive and QtPackage could
be refactored to construct this url more appropriately. However, this
would be a complicated change that doesn't belong in this commit.
@ddalcino
Load settings automatically for each test
404eaf1 
This uses a fixture to load the default settings file before each test.
Tests that require a different settings file (ie test_settings) can be
configured to skip this step using this line of code:

    @pytest.mark.load_default_settings(False)

This change is necessary to be able to run these tests in isolation from
each other. The `altlink`, `getUrl` and `downloadBinaryFile` functions
are all dependent on Settings, and you cannot test them without loading
a Settings file first. Without this change, when these tests ran, they
used a Settings object loaded up in some previous test, which could have
loaded some Settings file that we do not want. If we try to run these
tests without loading a Settings file, they will just fail to run
because Settings doesn't exist yet.
@ddalcino
Refactor: split QtArchive.archive_url into parts
96af3eb 
This splits QtArchive.archive_url into two new datamembers: archive_path
and base_url. Ultimately, base_url should be removed from QtPackage
entirely.
@ddalcino
It's no secret that we need a random number!
2c5c261
ddalcino added 4 commits March 6, 2022 17:56
@ddalcino
WIP use checksums for updates.xml files
f979d80
@ddalcino
Update tests to require proper checksums
be23b62
@ddalcino
Check hashes for xml files
5a7adb6
@ddalcino
Fix failure to use fallback for getlist
12d20a3 
aqt.helper.MyConfigParser.getlist fails to retrieve a fallback list when
the `section` parameter does not exist in the `settings.ini` file.
This ensures that the fallback is used when that key is missing.
@ddalcino
Allow MetadataFactory.fetch_http to skip sha256
b62db9e 
`MetadataFactory.fetch_http` must often download HTML pages, not
Updates.xml files. download.qt.io does not store checksums for these
files, so this particular function must be allowed to download these
pages without using a checksum.
@ddalcino ddalcino mentioned this pull request Mar 7, 2022
Closed
@ddalcino ddalcino marked this pull request as ready for review March 7, 2022 02:52
@miurahr
Copy link
Owner

miurahr commented Mar 7, 2022
edited
Loading

The change looks good and all the installation/compilation test are passed, and I observed that these tests downloads SHA256 hash files for check.
I'd like to merge it, push release v2.1.0, and ask users for feedback.

@miurahr miurahr merged commit 9010df2 into miurahr:master Mar 7, 2022
@ddalcino ddalcino deleted the retry_checksums branch March 8, 2022 16:13
@ddalcino
Copy link
Contributor Author

ddalcino commented Mar 8, 2022

I can’t help but worry that there’s some security flaw that I’m overlooking here. This sonatype output shows several preexisting flaws that we should probably fix before a full v2.1.0 release (maybe this deserves a separate issue):
https://lift.sonatype.com/results/github.com/miurahr/aqtinstall/01FXH2M8SHR30EFH8N7K0KZX9D

On the other hand, I agree that this change is important enough to let users begin using it as soon as possible. I prefer to release it as v2.1.0rc1.

@ddalcino ddalcino mentioned this pull request Mar 20, 2022
Merged
@miurahr miurahr added this to the version 2.1 milestone Apr 13, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sonatype-lift sonatype-lift[bot] sonatype-lift[bot] left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
version 2.1
Development

Successfully merging this pull request may close these issues.
2 participants
@ddalcino @miurahr