fix(internal/fetch): validate SHA256 in download (#3189)

julieqiu · web-flow · commit ec24497d5fa2 · 2025-12-08T11:58:12.000-05:00
DownloadTarball now returns an error early if expectedSha256 is empty,
avoiding unnecessary download attempts.
diff --git a/internal/fetch/fetch.go b/internal/fetch/fetch.go
@@ -34,6 +34,7 @@ const branch = "master"
 
 var (
 	errChecksumMismatch = errors.New("checksum mismatch")
+	errMissingSHA256    = errors.New("expectedSha256 is required")
 	defaultBackoff      = 10 * time.Second
 )
 
@@ -146,6 +147,9 @@ func DownloadTarball(ctx context.Context, target, url, expectedSha256 string) er
 	if fileExists(target) {
 		return nil
 	}
+	if expectedSha256 == "" {
+		return errMissingSHA256
+	}
 	if err := os.MkdirAll(filepath.Dir(target), 0755); err != nil {
 		return err
 	}
diff --git a/internal/fetch/fetch_test.go b/internal/fetch/fetch_test.go
@@ -530,6 +530,14 @@ func TestDownloadTarballErrors(t *testing.T) {
 	}
 }
 
+func TestDownloadTarballEmptySha(t *testing.T) {
+	target := path.Join(t.TempDir(), "target")
+	err := DownloadTarball(t.Context(), target, "https://any-url", "")
+	if !errors.Is(err, errMissingSHA256) {
+		t.Errorf("expected errMissingSHA256, got: %v", err)
+	}
+}
+
 func TestLatestCommitAndChecksum(t *testing.T) {
 	const (
 		expectedCommit          = "testcommit123"

Original file line number	Diff line number	Diff line change
`@@ -34,6 +34,7 @@ const branch = "master"`
`34`	`34`
`35`	`35`	`var (`
`36`	`36`	`errChecksumMismatch = errors.New("checksum mismatch")`
	`37`	`+ errMissingSHA256 = errors.New("expectedSha256 is required")`
`37`	`38`	`defaultBackoff = 10 * time.Second`
`38`	`39`	`)`
`39`	`40`
`@@ -146,6 +147,9 @@ func DownloadTarball(ctx context.Context, target, url, expectedSha256 string) er`
`146`	`147`	`if fileExists(target) {`
`147`	`148`	`return nil`
`148`	`149`	`}`
	`150`	`+ if expectedSha256 == "" {`
	`151`	`+ return errMissingSHA256`
	`152`	`+ }`
`149`	`153`	`if err := os.MkdirAll(filepath.Dir(target), 0755); err != nil {`
`150`	`154`	`return err`
`151`	`155`	`}`
Original file line number	Diff line number	Diff line change
`@@ -530,6 +530,14 @@ func TestDownloadTarballErrors(t *testing.T) {`
`530`	`530`	`}`
`531`	`531`	`}`
`532`	`532`
	`533`	`+func TestDownloadTarballEmptySha(t *testing.T) {`
	`534`	`+ target := path.Join(t.TempDir(), "target")`
	`535`	`+ err := DownloadTarball(t.Context(), target, "https://any-url", "")`
	`536`	`+ if !errors.Is(err, errMissingSHA256) {`
	`537`	`+ t.Errorf("expected errMissingSHA256, got: %v", err)`
	`538`	`+ }`
	`539`	`+}`
	`540`	`+`
`533`	`541`	`func TestLatestCommitAndChecksum(t *testing.T) {`
`534`	`542`	`const (`
`535`	`543`	`expectedCommit = "testcommit123"`