Skip to content

Commit 9e686f2

Browse files
srnagarsrnagar
committed
check download file integrity
1 parent da036ba commit 9e686f2

File tree

1 file changed

+15
-1
lines changed
  • PluginsAndFeatures/azure-toolkit-for-intellij/azure-intellij-plugin-azuremcp/src/main/java/com/microsoft/azure/toolkit/intellij/azuremcp

1 file changed

+15
-1
lines changed

PluginsAndFeatures/azure-toolkit-for-intellij/azure-intellij-plugin-azuremcp/src/main/java/com/microsoft/azure/toolkit/intellij/azuremcp/AzureMcpPackageManager.java

Lines changed: 15 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,9 +2,11 @@
22

33
import com.intellij.openapi.application.PathManager;
44
import lombok.extern.slf4j.Slf4j;
5+
import org.apache.commons.codec.digest.DigestUtils;
56
import org.apache.commons.compress.archivers.tar.TarArchiveEntry;
67
import org.apache.commons.compress.archivers.tar.TarArchiveInputStream;
78
import org.apache.commons.compress.compressors.gzip.GzipCompressorInputStream;
9+
import org.apache.commons.lang3.StringUtils;
810
import org.apache.commons.lang3.SystemUtils;
911
import org.jetbrains.annotations.NotNull;
1012

@@ -59,7 +61,7 @@ public synchronized File getAzureMcpExecutable() {
5961
final File azMcpTgz = new File(azMcpDir, "azmcp_" + tagName + ".tgz");
6062
log.info("Downloading Azure MCP Server to: " + azMcpTgz.getAbsolutePath());
6163
final boolean downloaded = gitHubClient.downloadToFile(asset.getBrowserDownloadUrl(), azMcpTgz);
62-
if (downloaded) {
64+
if (downloaded && digestMatches(azMcpTgz, asset.getDigest())) {
6365
log.info("Downloaded Azure MCP Server successfully in " + (System.currentTimeMillis() - startTime) + " ms");
6466
log.info("Extracting Azure MCP Server to: " + extractedDir.getAbsolutePath());
6567
extractTarGz(azMcpTgz, extractedDir);
@@ -80,6 +82,18 @@ public synchronized File getAzureMcpExecutable() {
8082
return null;
8183
}
8284

85+
private boolean digestMatches(File azMcpTgz, String expectedDigest) {
86+
try {
87+
// GitHub releases API computes the SHA-256 digest of the file contents.
88+
// https://github.blog/changelog/2025-06-03-releases-now-expose-digests-for-release-assets/
89+
final String downloadFileDigest = DigestUtils.sha256Hex(new FileInputStream(azMcpTgz));
90+
return StringUtils.equalsIgnoreCase("sha256:" + downloadFileDigest, expectedDigest);
91+
} catch (final Exception e) {
92+
log.error("Failed to calculate file digest", e);
93+
return false;
94+
}
95+
}
96+
8397
public synchronized void cleanup() {
8498
try {
8599
final String azMcpDir = PathManager.getPluginsPath() + "/azure-toolkit-for-intellij/azmcp";

0 commit comments

Comments
 (0)