Merge pull request #287 from codecov/update-validation-regex

Update validation regex, pull checksums into script, and bump to 1.4.1
Lint
2025-12-23 20:27:02 +08:00 · 2021-04-20 08:59:13 -04:00 · 2021-04-20 08:38:33 -04:00 · 2021-04-20 08:35:56 -04:00 · 2021-04-19 21:23:35 -04:00 · 2021-04-16 12:54:26 -04:00
8 changed files with 283 additions and 49 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,29 +1,33 @@
+## 1.4.1
+## Fixes
+- #287 Update VERSION regex to restrict on digits and dot and move checksums into script
+
+## 1.4.0
+### Features
+- #282 Add checksum verification of bash script
+
 ## 1.3.2
- # Overwrites pr number for pull_request_target events
+### Fixes
+- #264 Overwrites pr number for pull_request_target events

 ## 1.3.1
-
 ### Fixes
 - #253 Add `network_filter` to action manifest

 ## 1.3.0
-
 ### Features
 - #252 Add "network_filter" input

 ## 1.2.2
-
 ### Fixes
 - #241 pass root_dir using proper bash arg
 - #244 Overwrite the commit on pull_request* events

 ## 1.2.1
-
 ### Fixes
 - #196 Add parameters to the action.yml

 ## 1.2.0
-
 ### Features
 - #193 Add all the bash params

@@ -31,13 +35,11 @@
 - #193 Fixes issue with working-directory

 ## 1.1.1
-
 ### Fixes
 - #184 Add automations ensure proper builds and deployments
 - #184 Fixes verbose flag

 ## 1.1.0
-
 ### Features
 - #110 Add "working-directory:" input
 - #174 Support Xcode specificed parameters
--- a/action.yml
+++ b/action.yml
@@ -59,6 +59,9 @@ inputs:
  name:
    description: 'User defined upload name. Visible in Codecov UI'
    required: false
+  network_filter:
+    description: 'Used to restrict the set of git/hg files that can be matched with filenames in the coverage report. This is useful for monorepos or other setups where a full filepath may not be specified in the coverage report, and that shortened filepath may appear multiple times in a directory structure (e.g. __init__.py)'
+    required: false
  override_branch:
    description: 'Specify the branch name'
    required: false
@@ -74,9 +77,6 @@ inputs:
  override_tag:
    description: 'Specify the git tag'
    required: false
-  network_filter:
-    description: 'Used to restrict the set of git/hg files that can be matched with filenames in the coverage report. This is useful for monorepos or other setups where a full filepath may not be specified in the coverage report, and that shortened filepath may appear multiple times in a directory structure (e.g. __init__.py)'
-    required: false
  path_to_write_report:
    description: 'Write upload file to path before uploading'
    required: false
--- a/dist/index.js
+++ b/dist/index.js
@@ -13152,12 +13152,49 @@ module.exports = {"$id":"log.json#","$schema":"http://json-schema.org/draft-06/s

 "use strict";

+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __generator = (this && this.__generator) || function (thisArg, body) {
+    var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g;
+    return g = { next: verb(0), "throw": verb(1), "return": verb(2) }, typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
+    function verb(n) { return function (v) { return step([n, v]); }; }
+    function step(op) {
+        if (f) throw new TypeError("Generator is already executing.");
+        while (_) try {
+            if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
+            if (y = 0, t) op = [op[0] & 2, t.value];
+            switch (op[0]) {
+                case 0: case 1: t = op; break;
+                case 4: _.label++; return { value: op[1], done: false };
+                case 5: _.label++; y = op[1]; op = [0]; continue;
+                case 7: op = _.ops.pop(); _.trys.pop(); continue;
+                default:
+                    if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; }
+                    if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; }
+                    if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; }
+                    if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; }
+                    if (t[2]) _.ops.pop();
+                    _.trys.pop(); continue;
+            }
+            op = body.call(thisArg, _);
+        } catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; }
+        if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
+    }
+};
 exports.__esModule = true;
 var core = __webpack_require__(470);
 var exec = __webpack_require__(986);
 var fs = __webpack_require__(747);
 var request = __webpack_require__(335);
 var buildExec_1 = __webpack_require__(983);
+var validate_1 = __webpack_require__(743);
 var failCi;
 try {
    request({
@@ -13165,49 +13202,61 @@ try {
        maxAttempts: 10,
        timeout: 3000,
        url: 'https://codecov.io/bash',
-    }, function (error, response, body) {
-        var _a = buildExec_1["default"](), execArgs = _a.execArgs, options = _a.options, filepath = _a.filepath, failCi = _a.failCi;
-        try {
-            if (error && failCi) {
-                throw error;
-            }
-            else if (error) {
-                core.warning("Codecov warning: " + error.message);
-            }
-            fs.writeFile(filepath, body, function (err) {
-                if (err && failCi) {
-                    throw err;
+    }, function (error, response, body) { return __awaiter(void 0, void 0, void 0, function () {
+        var _a, execArgs, options, filepath, failCi, isValid, failure;
+        return __generator(this, function (_b) {
+            _a = buildExec_1["default"](), execArgs = _a.execArgs, options = _a.options, filepath = _a.filepath, failCi = _a.failCi;
+            try {
+                isValid = validate_1["default"](body);
+                if (!isValid) {
+                    failure = 'Codecov failure: ' +
+                        'Bash script checksums do not match published values. ' +
+                        'Please contact security@codecov.io immediately.';
+                    core.setFailed(failure);
+                    throw new Error(failure);
                }
-                else if (err) {
-                    core.warning("Codecov warning: " + err.message);
+                if (error && failCi) {
+                    throw error;
                }
-                exec.exec('bash', execArgs, options)["catch"](function (err) {
-                    if (failCi) {
-                        core.setFailed("Codecov failed with the following error: " + err.message);
+                else if (error) {
+                    core.warning("Codecov warning: " + error.message);
+                }
+                fs.writeFile(filepath, body, function (err) {
+                    if (err && failCi) {
+                        throw err;
                    }
-                    else {
+                    else if (err) {
                        core.warning("Codecov warning: " + err.message);
                    }
-                })
-                    .then(function () {
-                    unlinkFile();
-                });
-                var unlinkFile = function () {
-                    fs.unlink(filepath, function (err) {
-                        if (err && failCi) {
-                            throw err;
+                    exec.exec('bash', execArgs, options)["catch"](function (err) {
+                        if (failCi) {
+                            core.setFailed("Codecov failed with the following error: " + err.message);
                        }
-                        else if (err) {
+                        else {
                            core.warning("Codecov warning: " + err.message);
                        }
+                    })
+                        .then(function () {
+                        unlinkFile();
                    });
-                };
-            });
-        }
-        catch (error) {
-            core.setFailed("Codecov failed with the following error: " + error.message);
-        }
-    });
+                    var unlinkFile = function () {
+                        fs.unlink(filepath, function (err) {
+                            if (err && failCi) {
+                                throw err;
+                            }
+                            else if (err) {
+                                core.warning("Codecov warning: " + err.message);
+                            }
+                        });
+                    };
+                });
+            }
+            catch (error) {
+                core.setFailed("Codecov failed with the following error: " + error.message);
+            }
+            return [2 /*return*/];
+        });
+    }); });
 }
 catch (error) {
    if (failCi) {
@@ -49116,7 +49165,69 @@ module.exports = function (data, opts) {


 /***/ }),
-/* 743 */,
+/* 743 */
+/***/ (function(__unusedmodule, exports, __webpack_require__) {
+
+"use strict";
+
+exports.__esModule = true;
+exports.retrieveChecksum = void 0;
+var crypto = __webpack_require__(417);
+var core = __webpack_require__(470);
+var validateUploader = function (body) {
+    var version = getVersion(body);
+    if (version === null) {
+        core.warning('Codecov could not identify the bash uploader version.');
+        return false;
+    }
+    for (var _i = 0, _a = [1, 256, 512]; _i < _a.length; _i++) {
+        var i = _a[_i];
+        var publicChecksum = exports.retrieveChecksum(version, i);
+        var uploaderChecksum = calculateChecksum(body, i);
+        if (uploaderChecksum !== publicChecksum) {
+            core.warning("Codecov " + version + " checksums for SHA" + i + " failed to match.\n" +
+                ("Public checksum:   " + publicChecksum) +
+                ("Uploader checksum: " + uploaderChecksum));
+            return false;
+        }
+    }
+    return true;
+};
+var retrieveChecksum = function (version, encryption) {
+    var checksums = {
+        '1.0.1': {
+            '1': '0ddc61a9408418c73b19a1375f63bb460dc947a8',
+            '256': '89c658e261d5f25533598a222fd96cf17a5fa0eb3772f2defac754d9970b2ec8',
+            '512': 'd075b412a362a9a2b7aedfec3b8b9a9a927b3b99e98c7c15a2b76ef09862ae' +
+                'b005e91d76a5fd71b511141496d0fd23d1b42095f722ebcd509d768fba030f159e',
+        },
+        '1.0.2': {
+            '1': '537069158a6f72b145cfe5f782dceb608d9ef594',
+            '256': 'd6aa3207c4908d123bd8af62ec0538e3f2b9f257c3de62fad4e29cd3b59b41d9',
+            '512': 'b6492196dd844cd81a688536bb42463d28bd666448335c4a8fc7f8f9b9b9af' +
+                'c346a467e3401e3fc49e6047442a30d93a4adfaa1590101224a186013c6179c48d',
+        },
+    };
+    if (version in checksums && encryption in checksums[version]) {
+        return checksums[version][encryption];
+    }
+    return null;
+};
+exports.retrieveChecksum = retrieveChecksum;
+var calculateChecksum = function (body, i) {
+    var shasum = crypto.createHash("sha" + i);
+    shasum.update(body);
+    return "" + shasum.digest('hex');
+};
+var getVersion = function (body) {
+    var regex = /VERSION="([\d\.]+)"/g;
+    var match = regex.exec(body);
+    return match ? match[1] : null;
+};
+exports["default"] = validateUploader;
+
+
+/***/ }),
 /* 744 */
 /***/ (function(module) {

--- a/package-lock.json
+++ b/package-lock.json
@@ -1,6 +1,6 @@
 {
  "name": "codecov-action",
-  "version": "1.3.2",
+  "version": "1.4.1",
  "lockfileVersion": 1,
  "requires": true,
  "dependencies": {
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "codecov-action",
-  "version": "1.3.2",
+  "version": "1.4.1",
  "description": "Upload coverage reports to Codecov from GitHub Actions",
  "main": "index.js",
  "scripts": {
--- a/src/index.ts
+++ b/src/index.ts
@@ -5,6 +5,7 @@ const fs = require('fs');
 const request = require('requestretry');

 import buildExec from './buildExec';
+import validateUploader from './validate';

 let failCi;
 try {
@@ -13,10 +14,19 @@ try {
    maxAttempts: 10,
    timeout: 3000,
    url: 'https://codecov.io/bash',
-  }, (error, response, body) => {
+  }, async (error, response, body) => {
    const {execArgs, options, filepath, failCi} = buildExec();

    try {
+      const isValid = validateUploader(body);
+      if (!isValid) {
+        const failure = 'Codecov failure: ' +
+            'Bash script checksums do not match published values. ' +
+            'Please contact security@codecov.io immediately.';
+        core.setFailed(failure);
+        throw new Error(failure);
+      }
+
      if (error && failCi) {
        throw error;
      } else if (error) {
--- a/src/validate.test.ts
+++ b/src/validate.test.ts
@@ -0,0 +1,50 @@
+import validateUploader, {retrieveChecksum} from './validate';
+
+const request = require('requestretry');
+
+const bashScript = (async () => {
+  try {
+    const script = await request({
+      json: false,
+      maxAttempts: 10,
+      timeout: 3000,
+      url: 'https://codecov.io/bash',
+    });
+    return script.body;
+  } catch (err) {
+    throw err;
+  }
+});
+
+test('valid checksums', async () => {
+  const valid = validateUploader(await bashScript());
+  expect(valid).toBeTruthy();
+});
+
+test('invalid checksums', async () => {
+  const script = await bashScript();
+  const valid = validateUploader(script.substring(0, script.length - 1));
+  expect(valid).toBeFalsy();
+});
+
+test('invalid script version', async () => {
+  const script = await bashScript();
+  const valid = validateUploader(script.substring(0, 20));
+  expect(valid).toBeFalsy();
+});
+
+test('invalid public checksum file', () => {
+  const checksum = retrieveChecksum('foo', 'bar');
+  expect(checksum).toBeFalsy();
+});
+
+test('invalid public checksum file', () => {
+  const checksum = retrieveChecksum('foo', 'bar');
+  expect(checksum).toBeFalsy();
+});
+
+test('invalid encryption', () => {
+  const checksum = retrieveChecksum('1.0.1', 'foo');
+  expect(checksum).toBeFalsy();
+});
+
--- a/src/validate.ts
+++ b/src/validate.ts
@@ -0,0 +1,61 @@
+const crypto = require('crypto');
+
+const core = require('@actions/core');
+
+const validateUploader = (body) => {
+  const version = getVersion(body);
+  if (version === null) {
+    core.warning('Codecov could not identify the bash uploader version.');
+    return false;
+  }
+
+  for (const i of [1, 256, 512]) {
+    const publicChecksum = retrieveChecksum(version, i);
+    const uploaderChecksum = calculateChecksum(body, i);
+    if (uploaderChecksum !== publicChecksum) {
+      core.warning(
+          `Codecov ${version} checksums for SHA${i} failed to match.\n` +
+          `Public checksum:   ${publicChecksum}` +
+          `Uploader checksum: ${uploaderChecksum}`,
+      );
+      return false;
+    }
+  }
+  return true;
+};
+
+export const retrieveChecksum = (version, encryption) => {
+  const checksums = {
+    '1.0.1': {
+      '1': '0ddc61a9408418c73b19a1375f63bb460dc947a8',
+      '256': '89c658e261d5f25533598a222fd96cf17a5fa0eb3772f2defac754d9970b2ec8',
+      '512': 'd075b412a362a9a2b7aedfec3b8b9a9a927b3b99e98c7c15a2b76ef09862ae' +
+        'b005e91d76a5fd71b511141496d0fd23d1b42095f722ebcd509d768fba030f159e',
+    },
+    '1.0.2': {
+      '1': '537069158a6f72b145cfe5f782dceb608d9ef594',
+      '256': 'd6aa3207c4908d123bd8af62ec0538e3f2b9f257c3de62fad4e29cd3b59b41d9',
+      '512': 'b6492196dd844cd81a688536bb42463d28bd666448335c4a8fc7f8f9b9b9af' +
+        'c346a467e3401e3fc49e6047442a30d93a4adfaa1590101224a186013c6179c48d',
+    },
+  };
+
+  if (version in checksums && encryption in checksums[version]) {
+    return checksums[version][encryption];
+  }
+  return null;
+};
+
+const calculateChecksum = (body, i) => {
+  const shasum = crypto.createHash(`sha${i}`);
+  shasum.update(body);
+  return `${shasum.digest('hex')}`;
+};
+
+const getVersion = (body) => {
+  const regex = /VERSION="([\d\.]+)"/g;
+  const match = regex.exec(body);
+  return match ? match[1] : null;
+};
+
+export default validateUploader;
Author	SHA1	Message	Date
Tom Hu	967e2b38a8	Merge pull request #287 from codecov/update-validation-regex Update validation regex, pull checksums into script, and bump to 1.4.1	2021-04-20 08:59:13 -04:00
Tom Hu	77a7b61cd5	Lint	2021-04-20 08:38:33 -04:00
Tom Hu	50895b2a6f	Pull checksums into script	2021-04-20 08:35:56 -04:00
Tom Hu	95e6f30a60	Update validation regex and bump to 1.4.1	2021-04-19 21:23:35 -04:00
Tom Hu	0e28ff86a5	Merge pull request #284 from codecov/1.4.0 Bump to 1.4.0	2021-04-16 12:54:26 -04:00
Tom Hu	72182f9425	Bump to 1.4.0	2021-04-16 11:23:33 -04:00
Tom Hu	ce1ffb8db7	Merge pull request #282 from codecov/add-checksum-verification Add checksum verification of bash script	2021-04-16 11:21:04 -04:00
Tom Hu	864620acb9	Use i not 1	2021-04-16 07:58:51 -04:00
Tom Hu	6ac8172373	copypasta	2021-04-15 22:30:15 -04:00
Tom Hu	5ab0dbc584	alpha	2021-04-15 22:28:38 -04:00
Tom Hu	5e8c27dd4d	tab	2021-04-15 22:26:06 -04:00
Tom Hu	444b352d52	Update tests	2021-04-15 22:25:03 -04:00
Tom Hu	83cbbf806b	Add another test	2021-04-15 22:10:41 -04:00
Tom Hu	040839f579	Add validation of checksums	2021-04-15 22:08:27 -04:00
Tom Hu	6e56f7a5a6	Test version pulling	2021-04-15 11:25:10 -04:00