Generate and validate integrity of downloaded packages (#5978)

Author: michelleangela

Extension/gulpfile.js

@@ -21,6 +21,8 @@ const vinyl = require('vinyl');
 const parse5 = require('parse5');
 const traverse = require('parse5-traverse');
 const jsonc = require('jsonc-parser'); // Used to allow comments in nativeStrings.json
+const crypto = require('crypto');
+const https = require('https');
 
 
 // Patterns to find HTML files
@@ -290,6 +292,108 @@ gulp.task("translations-import", (done) => {
     }));
 });
 
+// ****************************
+// Command: generate-package-hashes
+// Generates a hash for each dependency package
+// ****************************
+
+async function DownloadFile(urlString) {
+    const buffers = [];
+    return new Promise((resolve, reject) => {
+        const req = https.request(urlString, (response) => {
+            if (response.statusCode === 301 || response.statusCode === 302) {
+                // Redirect - download from new location
+                let redirectUrl;
+                if (typeof response.headers.location === "string") {
+                    redirectUrl = response.headers.location;
+                } else {
+                    if (!response.headers.location) {
+                        console.log(`Invalid download location received`);
+                        return reject();
+                    }
+                    redirectUrl = response.headers.location[0];
+                }
+                console.log(`Using redirectUrl: '${redirectUrl}'`);
+                return resolve(DownloadFile(redirectUrl));
+            } else if (response.statusCode !== 200) {
+                if (response.statusCode === undefined || response.statusCode === null) {
+                    console.log("unknown error code.");
+                    return reject();
+                }
+                console.log(`failed with error code: '${response.statusCode}'`);
+                return reject();
+            }
+
+            response.on('data', (data) => {
+                buffers.push(data);
+            });
+
+            response.on('end', () => {
+                if (buffers.length > 0) {
+                    return resolve(Buffer.concat(buffers));
+                } else {
+                    return reject();
+                }
+            });
+
+            response.on('error', err => {
+                console.log(`problem with request: '${err.message}'`);
+                return reject();
+            });
+        });
+
+        req.on('error', err => {
+            console.log(`problem with request: '${err.message}'`);
+            return reject();
+        });
+
+        // Execute the request
+        req.end();
+    });
+    
+}
+
+async function generatePackageHashes(packageJson) {
+    const downloadAndGetHash = async (url) => {
+        console.log(url);
+        try {
+            const buf = await DownloadFile(url);
+            if (buf) {
+                const hash = crypto.createHash('sha256');
+                hash.update(buf);
+                const value = hash.digest('hex').toUpperCase();
+                return value;
+            }
+            return undefined;
+        } catch (err) {
+            return undefined;
+        }
+    };
+
+    for (let dependency of packageJson.runtimeDependencies) {
+        console.log(`-------- Downloading package: '${dependency.description}' --------`);
+        const hash = await downloadAndGetHash(dependency.url);
+        if (hash) {
+            dependency.integrity = hash;
+            console.log(`integrity: '${hash}'`);
+        } else {
+            console.log(`No hash generated for package '${dependency.description}`);
+        }
+        console.log(`\n`);
+    }
+
+    let content = JSON.stringify(packageJson, null, 2);
+    return content;
+}
+
+gulp.task('generate-package-hashes', async (done) => {
+    const packageJsonPath = './package.json';
+    const packageJson = JSON.parse(fs.readFileSync(packageJsonPath).toString());
+    const content = await generatePackageHashes(packageJson);
+    fs.writeFileSync(packageJsonPath, content);
+    done();
+});
+
 
 // ****************************
 // Command: translations-generate

Extension/jobs/build.windows.yml

@@ -17,6 +17,10 @@ jobs:
     displayName: "Install Dependencies"
     workingDirectory: '$(Build.SourcesDirectory)\Extension'
 
+  - script: yarn run generatePackageHashes
+    displayName: "Generate hashes for runtime dependency packages"
+    workingDirectory: '$(Build.SourcesDirectory)/Extension'
+
   - script: yarn run compile
     displayName: "Compile Sources"
     workingDirectory: '$(Build.SourcesDirectory)\Extension'

Extension/jobs/build.yml

@@ -16,6 +16,10 @@ jobs:
     displayName: "Install Dependencies"
     workingDirectory: '$(Build.SourcesDirectory)/Extension'
 
+  - script: yarn run generatePackageHashes
+    displayName: "Generate hashes for runtime dependency packages"
+    workingDirectory: '$(Build.SourcesDirectory)/Extension'
+
   - script: yarn run compile
     displayName: "Compile Sources"
     workingDirectory: '$(Build.SourcesDirectory)/Extension'

Extension/package.json

@@ -2208,6 +2208,7 @@
     "translations-import": "node ./tools/prepublish.js && gulp translations-import",
     "prepublishjs": "node ./tools/prepublish.js",
     "pretest": "tsc -p test.tsconfig.json",
+    "generatePackageHashes": "gulp generate-package-hashes",
     "pr-check": "gulp pr-check",
     "lint": "gulp lint",
     "unitTests": "tsc -p test.tsconfig.json && node ./out/test/unitTests/runTest.js",
@@ -2299,7 +2300,8 @@
       "binaries": [
         "./bin/cpptools",
         "./bin/cpptools-srv"
-      ]
+      ],
+      "integrity": "292D438B2573D17D18E30C4723702118BBCCB0049388C1B76879E9A15FE784FD"
     },
     {
       "description": "C/C++ language components (Linux / armhf)",
@@ -2313,7 +2315,8 @@
       "binaries": [
         "./bin/cpptools",
         "./bin/cpptools-srv"
-      ]
+      ],
+      "integrity": "61C2656ABD3856A657D6103D169838528F9454D39E7DA36A92B272AC2A052067"
     },
     {
       "description": "C/C++ language components (Linux / aarch64)",
@@ -2327,7 +2330,8 @@
       "binaries": [
         "./bin/cpptools",
         "./bin/cpptools-srv"
-      ]
+      ],
+      "integrity": "61C2656ABD3856A657D6103D169838528F9454D39E7DA36A92B272AC2A052067"
     },
     {
       "description": "C/C++ language components (OS X)",
@@ -2338,7 +2342,8 @@
       "binaries": [
         "./bin/cpptools",
         "./bin/cpptools-srv"
-      ]
+      ],
+      "integrity": "3CAAFD3A5375F4F3EA2D7EA4B432C1917FDC3B548CA81C5D032041A07821B121"
     },
     {
       "description": "C/C++ language components (Windows)",
@@ -2349,7 +2354,8 @@
       "binaries": [
         "./bin/cpptools.exe",
         "./bin/cpptools-srv.exe"
-      ]
+      ],
+      "integrity": "F98CB4D80013A119EB0043BA1A85E1E5966E6F160264A28E19D9D57ABD7FD015"
     },
     {
       "description": "ClangFormat (Linux / x86_64)",
@@ -2362,7 +2368,8 @@
       ],
       "binaries": [
         "./LLVM/bin/clang-format"
-      ]
+      ],
+      "integrity": "B8381B87B83EE1AF9088AA6679F2DA013DC23A21D9EC5603C58DEFC323ED9617"
     },
     {
       "description": "ClangFormat (Linux / armhf)",
@@ -2375,7 +2382,8 @@
       ],
       "binaries": [
         "./LLVM/bin/clang-format"
-      ]
+      ],
+      "integrity": "F06D3741192FFD7BB96BF9327D9DE1BBF6A9DB9753DA971C727D20D38835C1A9"
     },
     {
       "description": "ClangFormat (Linux / aarch64)",
@@ -2388,7 +2396,8 @@
       ],
       "binaries": [
         "./LLVM/bin/clang-format"
-      ]
+      ],
+      "integrity": "F06D3741192FFD7BB96BF9327D9DE1BBF6A9DB9753DA971C727D20D38835C1A9"
     },
     {
       "description": "ClangFormat (OS X)",
@@ -2398,7 +2407,8 @@
       ],
       "binaries": [
         "./LLVM/bin/clang-format.darwin"
-      ]
+      ],
+      "integrity": "416D3B814A76E52D943B3372D517D6AADE0AB0BD9FD9921F871C1FB89D7B17B1"
     },
     {
       "description": "ClangFormat (Windows)",
@@ -2408,7 +2418,8 @@
       ],
       "binaries": [
         "./LLVM/bin/clang-format.exe"
-      ]
+      ],
+      "integrity": "E5A2543FA2D45B964B43AE770A6D50F8698B592485E7E883005FFF52BFAD0CCD"
     },
     {
       "description": "Mono Framework Assemblies",
@@ -2417,7 +2428,8 @@
         "linux",
         "darwin"
       ],
-      "binaries": []
+      "binaries": [],
+      "integrity": "579295329C1825588B6251EEA56571D1B9555BD529AA1A319CDFE741BC22D786"
     },
     {
       "description": "Mono Runtime (Linux / x86_64)",
@@ -2430,7 +2442,8 @@
       ],
       "binaries": [
         "./debugAdapters/mono.linux-x86_64"
-      ]
+      ],
+      "integrity": "927C5094E83CE64EDC3A267EE1F13267CFA09FC1E9A5ADC870A752C05AD26F17"
     },
     {
       "description": "Mono Runtime (Linux / armhf)",
@@ -2443,7 +2456,8 @@
       ],
       "binaries": [
         "./debugAdapters/mono.linux-armhf"
-      ]
+      ],
+      "integrity": "D2D1FE7FB5CC5B2A60364F08829467509879D603FC951AC3805B530C8CEEF981"
     },
     {
       "description": "Mono Runtime (Linux / arm64)",
@@ -2456,7 +2470,8 @@
       ],
       "binaries": [
         "./debugAdapters/mono.linux-arm64"
-      ]
+      ],
+      "integrity": "946C54C8C6BF5BF79AC05D4E152F8D8647700FA786C21505832B3C79988339B4"
     },
     {
       "description": "Mono Runtime (OS X)",
@@ -2466,7 +2481,8 @@
       ],
       "binaries": [
         "./debugAdapters/mono.osx"
-      ]
+      ],
+      "integrity": "5D9E5AB3E921D138887BD12FF46B02BFC85B692B438EDFAAEB1E1E7837F1D40B"
     },
     {
       "description": "LLDB-MI (macOS Mojave and higher)",
@@ -2478,7 +2494,8 @@
       "matchVersion": false,
       "binaries": [
         "./debugAdapters/lldb-mi/bin/lldb-mi"
-      ]
+      ],
+      "integrity": "6C2CD2797380DE2F3EA2A991BA4DACE265920922C4E18A80FAC515B30C1D0B99"
     },
     {
       "description": "LLDB 3.8.0 (macOS High Sierra and lower)",
@@ -2493,7 +2510,8 @@
         "./debugAdapters/lldb/bin/lldb-mi",
         "./debugAdapters/lldb/bin/lldb-argdumper",
         "./debugAdapters/lldb/bin/lldb-launcher"
-      ]
+      ],
+      "integrity": "D4ACCD43F562E42CE30879AC15ADF5FB6AA50656795DCE8F3AD32FB108BB3B7E"
     },
     {
       "description": "Visual Studio Windows Debugger",
@@ -2503,7 +2521,8 @@
       ],
       "binaries": [
         "./debugAdapters/vsdbg/bin/vsdbg.exe"
-      ]
+      ],
+      "integrity": "CF1A01AA75275F76800F6BC1D289F2066DCEBCD983376D344ABF6B03FDB8FEA0"
     }
   ]
 }

Extension/src/packageManager.ts

@@ -20,10 +20,22 @@ import { IncomingMessage, ClientRequest } from 'http';
 import { Logger } from './logger';
 import * as nls from 'vscode-nls';
 import { Readable } from 'stream';
+import * as crypto from 'crypto';
 
 nls.config({ messageFormat: nls.MessageFormat.bundle, bundleFormat: nls.BundleFormat.standalone })();
 const localize: nls.LocalizeFunc = nls.loadMessageBundle();
 
+export function isValidPackage(buffer: Buffer, integrity: string): boolean {
+    if (integrity && integrity.length > 0) {
+        const hash: crypto.Hash = crypto.createHash('sha256');
+        hash.update(buffer);
+        const value: string = hash.digest('hex').toUpperCase();
+        return (value === integrity.toUpperCase());
+    }
+    // No integrity has been specified
+    return true;
+}
+
 export interface IPackage {
     // Description of the package
     description: string;
@@ -49,6 +61,9 @@ export interface IPackage {
 
     // Internal location to which the package was downloaded
     tmpFile: tmp.FileResult;
+
+    // sha256 hash of the package
+    integrity: string;
 }
 
 export class PackageManagerError extends Error {
@@ -240,6 +255,7 @@ export class PackageManager {
             rejectUnauthorized: proxyStrictSSL
         };
 
+        const buffers: Buffer[] = [];
         return new Promise<void>((resolve, reject) => {
             let secondsDelay: number = Math.pow(2, delay);
             if (secondsDelay === 1) {
@@ -292,6 +308,7 @@ export class PackageManager {
                         this.AppendChannel(`(${Math.ceil(packageSize / 1024)} KB) `);
 
                         response.on('data', (data) => {
+                            buffers.push(data);
                             // Update dots after package name in output console
                             const newDots: number = Math.ceil(downloadPercentage / 5);
                             if (newDots > dots) {
@@ -300,7 +317,14 @@ export class PackageManager {
                             }
                         });
 
-                        response.on('end', resolve);
+                        response.on('end', () => {
+                            const packageBuffer: Buffer = Buffer.concat(buffers);
+                            if (isValidPackage(packageBuffer, pkg.integrity)) {
+                                resolve();
+                            } else {
+                                reject(new PackageManagerError('Invalid content received. Hash is incorrect.', localize("invalid.content.received", 'Invalid content received. Hash is incorrect.'), 'DownloadFile', pkg));
+                            }
+                        });
 
                         response.on('error', (error) =>
                             reject(new PackageManagerWebResponseError(response.socket, 'HTTP/HTTPS Response Error', localize("web.response.error", 'HTTP/HTTPS Response Error'), 'DownloadFile', pkg, error.stack, error.name)));