Skip to content

test that arbitrary files cannot be checksummed#250

Merged
CreatorHead merged 1 commit intomainfrom
test-checksum-files
Jan 21, 2026
Merged

test that arbitrary files cannot be checksummed#250
CreatorHead merged 1 commit intomainfrom
test-checksum-files

Conversation

@schmichael
Copy link
Member

@schmichael schmichael commented May 7, 2020

New test asserts that only the checksums for retrieved files will be
checked. If a checksum file references other files, those will not be
checked.

This is an important security assertion as checksum files should not
cause go-getter to read arbitrary paths and report if their contents
match a checksum.

@schmichael schmichael requested review from azr and sylviamoss May 7, 2020 16:03
mwhooker
mwhooker approved these changes May 7, 2020
View reviewed changes
Copy link
Contributor

@mwhooker mwhooker left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm.

Just so I make sure I understand, the test is saying that there's a bad checksum in multifile-sha1.sum, but we didn't download that file, so don't try to checksum that file locally, and ignore the checksum line?

@schmichael
Copy link
Member Author

schmichael commented May 7, 2020

@mwhooker Yes! Exactly. Should I expand the test case comment? I tried to keep it brief to match the existing style, but it's definitely a weird test. The goal of the test is the help ensure we don't make a change that could cause a security issue for embedders like Nomad.

@mwhooker
Copy link
Contributor

mwhooker commented May 7, 2020

It couldn't hurt. There are a lot of tests in that table, and it could be that the subtlety of this one gets lost in the sea

sylviamoss
sylviamoss approved these changes May 11, 2020
View reviewed changes
Copy link

@sylviamoss sylviamoss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!!
Are you going to update the comment? Would it be nice to have more details about the security concern?

@mdeggies mdeggies changed the base branch from master to main October 23, 2020 00:53
@hashicorp-cla
Copy link

hashicorp-cla commented Mar 12, 2022
edited
Loading

CLA assistant check
All committers have signed the CLA.

azr
azr approved these changes Mar 21, 2022
View reviewed changes
Copy link
Contributor

@azr azr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM ! Might need a rebase

@schmichael @CreatorHead
test that arbitrary files cannot be checksummed
7c609f9 
New test asserts that only the checksums for retrieved files will be
checked. If a checksum file references other files, those will not be
checked.

This is an important security assertion as checksum files should not
cause go-getter to read arbitrary paths and report if their contents
match a checksum.
@CreatorHead CreatorHead requested a review from a team as a code owner January 21, 2026 08:20
@CreatorHead CreatorHead merged commit 2fed359 into main Jan 21, 2026
12 checks passed
@nasareeny nasareeny mentioned this pull request Feb 23, 2026
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sonamtenzin2 sonamtenzin2 sonamtenzin2 approved these changes

@CreatorHead CreatorHead CreatorHead approved these changes

+3 more reviewers

@mwhooker mwhooker mwhooker approved these changes

@azr azr azr approved these changes

@sylviamoss sylviamoss sylviamoss approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@schmichael @mwhooker @hashicorp-cla @azr @sylviamoss @sonamtenzin2 @CreatorHead