mirror of
https://github.com/pnpm/pnpm.git
synced 2026-05-31 12:10:49 -04:00
e55f4b5efd
* fix(lockfile.utils): require integrity for tarball-shaped lockfile resolutions A tampered lockfile that strips the `integrity` field from a tarball resolution let the worker download the URL contents and mint a fresh integrity from the unverified bytes, so an attacker who could also serve content at the referenced URL would install a tampered package without any error — including under `--frozen-lockfile`. pnpm now rejects such entries at lockfile-read time with `ERR_PNPM_MISSING_TARBALL_INTEGRITY`, matching pacquet's existing `pacquet_package_manager::missing_tarball_integrity` guard. * test(lockfile.utils): drop redundant integrity-less snapshot that fails strict typecheck * test(pacquet/package-manager): cover MissingTarballIntegrity rejection in snapshot_cache_key Match the upstream guard landed alongside pnpm/pnpm#11966 (`lockfile/utils/src/pkgSnapshotToResolution.ts`) with a test on the pacquet side: a `LockfileResolution::Tarball` with `integrity: None` — what a tampered lockfile looks like — must short-circuit the warm-batch cache-key derivation by surfacing `InstallPackageBySnapshotError::MissingTarballIntegrity`. The structural guard already existed but had no negative test. * fix(lockfile.utils): exempt git-hosted and file: tarballs from the integrity guard The strict guard added in the parent commit broke pnpm's own `with-git-protocol-dep` and `with-non-package-dep` fixtures: the install pipeline writes git-hosted tarball entries (codeload.github.com URLs) to the lockfile without an `integrity:` line, because the commit SHA in the URL is the integrity anchor — git's content-addressed model binds the bytes to the commit, so a separate hash adds nothing. Exempt git-hosted tarballs (detected either via the `gitHosted: true` flag or a URL on the known git hosts, matching the URL fallback in `toLockfileResolution`) and `file:` tarballs (local paths the user already controls). The strict check still fires for any other remote tarball — which is where the AutoFyn-reported vector actually manifests. Also export `isGitHostedTarballUrl` from `toLockfileResolution.ts` so the URL fallback can be shared rather than duplicated. * test(pacquet/package-manager): trim doc comment to the contract-level intent Per the repo convention that tests are documentation, the test name and body already cover what's being asserted; the prior comment duplicated that. Keep only the non-obvious why: why this guard exists at the cache-key site at all (warm-batch short-circuit) when the install-side check also rejects the same input.
113 lines
4.8 KiB
TypeScript
113 lines
4.8 KiB
TypeScript
import { expect, test } from '@jest/globals'
|
|
import { pkgSnapshotToResolution } from '@pnpm/lockfile.utils'
|
|
|
|
test('pkgSnapshotToResolution()', () => {
|
|
expect(pkgSnapshotToResolution('foo@1.0.0', {
|
|
resolution: {
|
|
integrity: 'AAAA',
|
|
},
|
|
}, { default: 'https://registry.npmjs.org/' })).toEqual({
|
|
integrity: 'AAAA',
|
|
tarball: 'https://registry.npmjs.org/foo/-/foo-1.0.0.tgz',
|
|
})
|
|
|
|
expect(pkgSnapshotToResolution('@mycompany/mypackage@2.0.0', {
|
|
resolution: {
|
|
integrity: 'AAAA',
|
|
tarball: '@mycompany/mypackage/-/@mycompany/mypackage-2.0.0.tgz',
|
|
},
|
|
}, { default: 'https://registry.npmjs.org/', '@mycompany': 'https://mycompany.jfrog.io/mycompany/api/npm/npm-local/' })).toEqual({
|
|
integrity: 'AAAA',
|
|
tarball: 'https://mycompany.jfrog.io/mycompany/api/npm/npm-local/@mycompany/mypackage/-/@mycompany/mypackage-2.0.0.tgz',
|
|
})
|
|
|
|
expect(pkgSnapshotToResolution('@mycompany/mypackage@2.0.0', {
|
|
resolution: {
|
|
integrity: 'AAAA',
|
|
tarball: '@mycompany/mypackage/-/@mycompany/mypackage-2.0.0.tgz',
|
|
},
|
|
}, { default: 'https://registry.npmjs.org/', '@mycompany': 'https://mycompany.jfrog.io/mycompany/api/npm/npm-local' })).toEqual({
|
|
integrity: 'AAAA',
|
|
tarball: 'https://mycompany.jfrog.io/mycompany/api/npm/npm-local/@mycompany/mypackage/-/@mycompany/mypackage-2.0.0.tgz',
|
|
})
|
|
|
|
expect(pkgSnapshotToResolution('@cdn.sheetjs.com/xlsx-0.18.9/xlsx-0.18.9.tgz', {
|
|
resolution: {
|
|
integrity: 'sha512-CCCC',
|
|
tarball: 'https://cdn.sheetjs.com/xlsx-0.18.9/xlsx-0.18.9.tgz',
|
|
},
|
|
}, { default: 'https://registry.npmjs.org/' })).toEqual({
|
|
integrity: 'sha512-CCCC',
|
|
tarball: 'https://cdn.sheetjs.com/xlsx-0.18.9/xlsx-0.18.9.tgz',
|
|
})
|
|
|
|
// Snapshot for a `file:` dependency whose resolution lacks the tarball
|
|
// field — the tarball should be recovered from the depPath.
|
|
expect(pkgSnapshotToResolution('test-package@file:test-package-1.0.0.tgz', {
|
|
resolution: {
|
|
integrity: 'sha512-AAAA',
|
|
},
|
|
version: '1.0.0',
|
|
}, { default: 'https://registry.npmjs.org/' })).toEqual({
|
|
integrity: 'sha512-AAAA',
|
|
tarball: 'file:test-package-1.0.0.tgz',
|
|
})
|
|
})
|
|
|
|
test('pkgSnapshotToResolution() rejects a remote tarball resolution that has no integrity', () => {
|
|
// A tampered or malformed lockfile that strips the `integrity` field
|
|
// would otherwise let pnpm download the URL contents unchecked. The
|
|
// helper must fail closed so neither install path nor any read-only
|
|
// consumer (sbom, list, etc.) silently trusts the lockfile entry.
|
|
expect(() => pkgSnapshotToResolution('foo@1.0.0', {
|
|
resolution: {
|
|
tarball: 'https://registry.npmjs.org/foo/-/foo-1.0.0.tgz',
|
|
},
|
|
}, { default: 'https://registry.npmjs.org/' })).toThrow(expect.objectContaining({ code: 'ERR_PNPM_MISSING_TARBALL_INTEGRITY' }))
|
|
|
|
// A tarball URL on an arbitrary CDN (no `gitHosted` flag, no known git
|
|
// host pattern) is still a regular remote tarball — integrity required.
|
|
expect(() => pkgSnapshotToResolution('xlsx@https+++cdn.sheetjs.com+xlsx-0.18.9+xlsx-0.18.9.tgz', {
|
|
resolution: {
|
|
tarball: 'https://cdn.sheetjs.com/xlsx-0.18.9/xlsx-0.18.9.tgz',
|
|
},
|
|
}, { default: 'https://registry.npmjs.org/' })).toThrow(expect.objectContaining({ code: 'ERR_PNPM_MISSING_TARBALL_INTEGRITY' }))
|
|
})
|
|
|
|
test('pkgSnapshotToResolution() allows git-hosted and file: tarballs to lack integrity', () => {
|
|
// Git-hosted tarballs are anchored by the commit SHA in their URL —
|
|
// pnpm's own install pipeline writes them without `integrity:` (see
|
|
// the `with-git-protocol-dep` fixture). Both the explicit
|
|
// `gitHosted: true` flag and a URL on a known git host must bypass
|
|
// the integrity check, matching the URL-fallback logic in
|
|
// `toLockfileResolution`.
|
|
expect(pkgSnapshotToResolution('foo@https+++github.com+foo+bar', {
|
|
resolution: {
|
|
tarball: 'https://codeload.github.com/foo/bar/tar.gz/abc1234',
|
|
gitHosted: true,
|
|
},
|
|
}, { default: 'https://registry.npmjs.org/' })).toEqual({
|
|
tarball: 'https://codeload.github.com/foo/bar/tar.gz/abc1234',
|
|
gitHosted: true,
|
|
})
|
|
|
|
expect(pkgSnapshotToResolution('is-negative@https+++codeload.github.com+kevva+is-negative+tar.gz+abc', {
|
|
resolution: {
|
|
tarball: 'https://codeload.github.com/kevva/is-negative/tar.gz/abc1234',
|
|
},
|
|
}, { default: 'https://registry.npmjs.org/' })).toEqual({
|
|
tarball: 'https://codeload.github.com/kevva/is-negative/tar.gz/abc1234',
|
|
})
|
|
|
|
// `file:` tarballs are local files; the user already controls the
|
|
// bytes, and the install pipeline may write them without integrity.
|
|
expect(pkgSnapshotToResolution('local-pkg@file:local-pkg-1.0.0.tgz', {
|
|
resolution: {
|
|
tarball: 'file:local-pkg-1.0.0.tgz',
|
|
},
|
|
version: '1.0.0',
|
|
}, { default: 'https://registry.npmjs.org/' })).toEqual({
|
|
tarball: 'file:local-pkg-1.0.0.tgz',
|
|
})
|
|
})
|