Shasum check is not robust

[ChALkeR]

First of all, it's great to see that the longstanding issue of trusting a remote SHASUMS256.txt file has been fixed. Huge thanks for that!

There is a bug in the impl though: it doesn't recheck that shasums match when it pulls a file out of cache. That happens in https://github.com/electron/get/blob/main/src/index.ts#L72-L82 -- that codepath returns the file from cache without any shasum verification, regardless of how it got into the cache.

Steps to reproduce, variant 1

1. npm i electron
2. replace the cache file (look in ~/.cache/electron) with something else
3. npm i electron in another dir -- the tampered file will be used without any shasum check

Steps to reproduce, variant 2

1. npm i electron to get npm packages
2. rm -rf ~/.cache/electron to clear cache
3. Replace the hash in node_modules/electron/checksums.json to simulate a hash mismatch
4. rm -rf ~/node_modules/electron/dist to trigger reinstall
5. node ./node_modules/electron/install.js now fails, as it should
6. electron_use_remote_checksums=1 node ./node_modules/electron/install.js succeeds (expected)
7. rm -rf ~/node_modules/electron/dist to trigger reinstall
8. node ./node_modules/electron/install.js succeeds, despite the hash mismatching the expected one in checksums.json.

I.e. if the first call to whatever put the package in cache has been done e.g. with electron_use_remote_checksums env var, or without checksums option, or with unsafelyDisableChecksums option, the follow up call which has checksums option set and expects them to be validated against those supplied ones won't get them validated.

Same as when the cache has been corrupted or tampered, allowing e.g. a long-term CI poisoning via cache artifacts.

[continuous-auth[bot]]

:tada: This issue has been resolved in version 2.0.3 :tada:

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot :package::rocket: