Validate shasum's of downloaded Node.js runtimes (#4159)

SonarSource · Sep 13, 2023 · 8fec5e0 · 8fec5e0
1 parent 9f93c74
commit 8fec5e0
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 1 deletion.
diff --git a/tools/fetch-node/README.md b/tools/fetch-node/README.md
@@ -1,6 +1,6 @@
 # Fetch node.js runtimes tooling
 
-## Fetch runtimes and compress them
+## Fetch runtimes, compress them and copy them to plugin
 
 Run `npm run fetch-node`
 

diff --git a/tools/fetch-node/node-distros.mjs b/tools/fetch-node/node-distros.mjs
@@ -9,13 +9,16 @@ export default [
   {
     id: 'win-x64',
     url: `https://nodejs.org/dist/${NODE_VERSION}/node-${NODE_VERSION}-win-x64.zip`,
+    sha: '5d2596a00699fadf0ffa8e651f47ff5d719991014b920544d59c80d78569d42f',
   },
   {
     id: 'macos-arm64',
     url: `https://nodejs.org/dist/${NODE_VERSION}/node-${NODE_VERSION}-darwin-arm64.tar.gz`,
+    sha: '9cc794517788aee103dfcffa04d0b90ac33854b0d10eb11a26ba4be38403f731',
   },
   {
     id: 'linux-x64',
     url: `https://nodejs.org/dist/${NODE_VERSION}/node-${NODE_VERSION}-linux-x64.tar.gz`,
+    sha: 'a8678ae00425acdf692e943e3f1cea11a4c46281e4257b82886423bd4ef6f2b5',
   },
 ];
diff --git a/tools/fetch-node/scripts/fetch-node.mjs b/tools/fetch-node/scripts/fetch-node.mjs
@@ -24,6 +24,7 @@ import decompress from 'decompress';
 import decompressTargz from 'decompress-targz';
 import * as path from 'node:path';
 import * as stream from 'node:stream';
+import * as crypto from 'node:crypto';
 import NODE_DISTROS from '../node-distros.mjs';
 import { DOWNLOAD_DIR, RUNTIMES_DIR } from './directories.mjs';
 
@@ -36,11 +37,23 @@ for (const distro of NODE_DISTROS) {
   const filename = getFilenameFromUrl(distro.url);
   const archiveFilename = path.join(DOWNLOAD_DIR, filename);
   await downloadFile(distro.url, archiveFilename);
+  validateFile(distro.sha, archiveFilename);
   await extractFile(archiveFilename, DOWNLOAD_DIR);
   const distroName = removeExtension(filename);
   copyRuntime(distroName, distro.id, DOWNLOAD_DIR, RUNTIMES_DIR);
 }
 
+function validateFile(sha, filename) {
+  const file = fs.readFileSync(filename);
+  const hashSum = crypto.createHash('sha256');
+  hashSum.update(file);
+  if (sha !== hashSum.digest('hex')) {
+    console.log(`SHAsum for ${filename} invalid.`);
+    process.exit(1);
+  }
+  console.log(`SHAsum valid for ${filename}`);
+}
+
 /**
  * Retrieves the last part of a URL path
  *