yarnpkg/yarn

Files are extracted before their hashes are checked.

Open

#4638 opened on Oct 5, 2017

View on GitHub
 (13 comments) (0 reactions) (0 assignees)JavaScript (41,514 stars) (2,731 forks)batch import
cat-featuregood first issuehelp wantedtriaged

Description

Do you want to request a feature or report a bug? A bug.

What is the current behavior? Currently, downloaded files are extracted before their hashes are checked. https://github.com/yarnpkg/yarn/blob/master/src/fetchers/tarball-fetcher.js#L75

What is the expected behavior? Files should be verified before they are extracted.

Contributor guide

Tech stack
javascriptnodejs
Domain
cli
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
JavaScriptNode.js async patterns
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
30
Research direction
Investigate the tarball fetcher.js file at line 75. The current code extracts the tarball before verifying the hash. To fix, move the hash verification step to occur before the extraction. Look at how the hash is computed and compared in the codebase, and ensure the downloaded file's hash is checked prior to extraction. The fix should be a localized change in the same file.