search

codecov / codecov-bash

Global coverage report uploader for Codecov
https://codecov.io
Apache License 2.0
234 stars 155 forks source link

Issues with documented validation script #427

Closed dlorenc closed 3 years ago

dlorenc commented 3 years ago

Hey,

There are a few subtle bugs with the documented verification script: https://docs.codecov.io/docs/about-the-codecov-bash-uploader#validating-the-bash-script

I put together a quick example on how the unquoted bash variable can be abused: https://gist.github.com/dlorenc/152ccd0735196d892d21771e4e0f762a

thomasrockhu commented 3 years ago

Hi @dlorenc, thanks for the message here. Regarding VERSION, we cannot yet remove it from the documentation, as the time between committing to the production branch can be minutes before it loads up on our CDN. In that time, the SHAs will not match.

However, would something like this be reasonable for now,

VERSION=$(grep 'VERSION=\".*\"' codecov | cut -d'"' -f2);
for i in 1 256 512
do
 shasum -a $i -c --ignore-missing <(curl -s "https://raw.githubusercontent.com/codecov/codecov-bash/${VERSION}/SHA${i}SUM") ||
 shasum -a $i -c <(curl -s "https://raw.githubusercontent.com/codecov/codecov-bash/${VERSION}/SHA${i}SUM")
done

I also am not sure what you mean by the script ignoring the algorithm. I believe it's specified as shasum -a $i

zenmonkeykstop commented 3 years ago

Another possible workaround would be to pull the latest release version from Github (though you would probably also run into timing problems depending on how releases go):

curl -s https://codecov.io/env > env;    # this also needs checking! but it's not in the SHASUMs right now                  
curl -s https://codecov.io/bash > codecov;                              
VERSION=$(curl --silent "https://api.github.com/repos/codecov/codecov-bash/releases/latest" | grep '"tag_name":' |sed -E 's/.*"([^"]+)".*/\1/')
curl -s https://raw.githubusercontent.com/codecov/codecov-bash/${VERSION}/SHA256SUM > codecov-hashes
shasum -a 256 -c --ignore-missing codecov-hashes
thomasrockhu commented 3 years ago

@zenmonkeykstop, I think we will still be running into the timing issue between releases. Regarding the env script, I'm updating the other uploaders to not depend on --ignore-missing as some earlier versions of shasum do not accept it.

zenmonkeykstop commented 3 years ago

In that case, won't it definitely need to be present?

thomasrockhu commented 3 years ago

@zenmonkeykstop, sorry I don't quite understand

zenmonkeykstop commented 3 years ago

The env script is invoked in the same way as codecov, so it would also need to be hashed and verified.

thomasrockhu commented 3 years ago

@zenmonkeykstop oh 100%, but the env script is not always run. In that case, users shouldn't have to pull down another file. Running shasum should verify regardless of whether or not the env script is present (i.e. verify if if it exists, else don't fail).

Right now, running an older version of shasum will error out as --ignore-missing does not exist as an argument. I'm patching the other versions to allow it. Then, I will update and push a new version of the bash script that will add the env SHAs (see this PR)

PureKrome commented 3 years ago

hi @thomasrockhu - could the documentation please be updated to include a full example of how to do this, please? Many of us don't have bash script skills, especially when we come from windows backgrounds. The docs are assuming the reader has some understanding with bash and pipes, etc. For many of us, we just want to grab the script and use it our CI. That, or maybe some more detailed explanations for us non-script people (blush!)

Also, to docs are saying two things:

some of us might be mislead and think 'calc the checksum' also includes checking to see if it's ok/valid.

so yeah .. a complete example would be awesome, please 🙏🏻

Note: previously I asked the similar question on SO before I knew about this repo.

joseph-galindo commented 3 years ago

Hey @dlorenc, about this part:

The shasum script (at least on my machine) ignores the specified algorithm during checking. So using three algorithms doesn't really do anything

Assuming you're using shasum 5.84 or newer on MacOS, I also noticed this behavior. The reason is that for checks, the internal implementation of shasum determines the algorithm to use for dynamic "actual" hash generation based on the length of the incoming "trusted"/"expected" hash.

What this means is that if you provide a SHA256 hash for checking, but run shasum -a 512 -c, the request to use the SHA512 algorithm is effectively ignored, and instead a SHA256 hash is generated dynamically and used for the integrity check against your provided "trusted" hash.

The source is here which I think can give more insight: https://perldoc.perl.org/5.18.4/shasum https://perldoc.perl.org/5.18.4/shasum.txt

Mainly

$alg = defined $sum ? $len2alg{length($sum)} : undef;

With that said, I think older versions of shasum do use the algorithm provided by -a directly; the length-based mapping wasn't always implemented. So in general I'd recommend always providing -a to be safe, even though in your case it's likely determining the algorithm based on trusted hash length.

dlorenc commented 3 years ago

Assuming you're using shasum 5.84 or newer on MacOS, I also noticed this behavior. The reason is that for checks, the internal implementation of shasum determines the algorithm to use for dynamic "actual" hash generation based on the length of the incoming "trusted"/"expected" hash.

Thanks! Yep, I was using that version on OSX. Another victim of algorithm agility :)

PureKrome commented 3 years ago

@thomasrockhu Hi Tom - any update on when the docs will get updated, please?

dinvlad commented 3 years ago

Another workaround for this is using

curl -s "https://raw.githubusercontent.com/codecov/codecov-bash/${CODECOV_VERSION}/SHA${i}SUM" | grep codecov
thomasrockhu commented 3 years ago

@PureKrome the docs have been updated, and you can checkout this post for more details.