yarnpkg/yarn

Files are extracted before their hashes are checked.

Open

#4,638 创建于 2017年10月5日

在 GitHub 查看
 (13 评论) (0 反应) (0 负责人)JavaScript (41,514 star) (2,731 fork)batch import
cat-featuregood first issuehelp wantedtriaged

描述

Do you want to request a feature or report a bug? A bug.

What is the current behavior? Currently, downloaded files are extracted before their hashes are checked. https://github.com/yarnpkg/yarn/blob/master/src/fetchers/tarball-fetcher.js#L75

What is the expected behavior? Files should be verified before they are extracted.

贡献者指南

技术栈
javascriptnodejs
领域
cli
议题类型
bug
难度面向新贡献者的预计实现难度,1 表示很小改动,5 表示专家级工作。
3
预计时间有经验贡献者完成调查、实现、测试并准备 pull request 的粗略时间范围。
1-3 hours
活动状态议题当前的可参与程度:新鲜、活跃、陈旧、阻塞或等待维护者输入。
stale
清晰度议题是否清楚说明期望改动、验收标准和下一步。
clear
前置要求
JavaScriptNode.js async patterns
新手友好度1-100 的估计分数,表示该议题对首次贡献者的友好程度。
30
研究方向
Investigate the tarball fetcher.js file at line 75. The current code extracts the tarball before verifying the hash. To fix, move the hash verification step to occur before the extraction. Look at how the hash is computed and compared in the codebase, and ensure the downloaded file's hash is checked prior to extraction. The fix should be a localized change in the same file.
Files are extracted before their hashes are checked. · yarnpkg/yarn#4638 | Good First Issue