mirror of
https://github.com/pnpm/pnpm.git
synced 2026-05-31 03:58:11 -04:00
b8196b82d1
A tampered `pnpm-lock.yaml` that strips the `integrity` field from a tarball resolution let the worker download the URL contents and mint a fresh integrity from the unverified bytes. An attacker who could both alter the lockfile (e.g. via a pull request that drops `integrity:`) and serve modified content at the referenced tarball URL could install a tampered package without any error — including under `--frozen-lockfile`. `pkgSnapshotToResolution` now fails closed at lockfile-read time with `ERR_PNPM_MISSING_TARBALL_INTEGRITY` whenever a tarball-shaped resolution (no `type` field — covers plain remote, registry-derived, `file:`, and `gitHosted` entries) lacks integrity. Git-hosted tarballs and `file:` tarballs remain exempt: the commit SHA in a git-host URL and the user-controlled local path already anchor the bytes. The fix sits at the lockfile-read chokepoint every install path flows through (deps-resolver, deps-restorer, graph-builder), so both isolated and hoisted node-linkers are covered. Credit to AutoFyn for finding and reporting the issue.
99 lines
4.2 KiB
TypeScript
99 lines
4.2 KiB
TypeScript
import { pkgSnapshotToResolution } from '@pnpm/lockfile.utils'
|
|
|
|
test('pkgSnapshotToResolution()', () => {
|
|
expect(pkgSnapshotToResolution('foo@1.0.0', {
|
|
resolution: {
|
|
integrity: 'AAAA',
|
|
},
|
|
}, { default: 'https://registry.npmjs.org/' })).toEqual({
|
|
integrity: 'AAAA',
|
|
tarball: 'https://registry.npmjs.org/foo/-/foo-1.0.0.tgz',
|
|
})
|
|
|
|
expect(pkgSnapshotToResolution('@mycompany/mypackage@2.0.0', {
|
|
resolution: {
|
|
integrity: 'AAAA',
|
|
tarball: '@mycompany/mypackage/-/@mycompany/mypackage-2.0.0.tgz',
|
|
},
|
|
}, { default: 'https://registry.npmjs.org/', '@mycompany': 'https://mycompany.jfrog.io/mycompany/api/npm/npm-local/' })).toEqual({
|
|
integrity: 'AAAA',
|
|
tarball: 'https://mycompany.jfrog.io/mycompany/api/npm/npm-local/@mycompany/mypackage/-/@mycompany/mypackage-2.0.0.tgz',
|
|
})
|
|
|
|
expect(pkgSnapshotToResolution('@mycompany/mypackage@2.0.0', {
|
|
resolution: {
|
|
integrity: 'AAAA',
|
|
tarball: '@mycompany/mypackage/-/@mycompany/mypackage-2.0.0.tgz',
|
|
},
|
|
}, { default: 'https://registry.npmjs.org/', '@mycompany': 'https://mycompany.jfrog.io/mycompany/api/npm/npm-local' })).toEqual({
|
|
integrity: 'AAAA',
|
|
tarball: 'https://mycompany.jfrog.io/mycompany/api/npm/npm-local/@mycompany/mypackage/-/@mycompany/mypackage-2.0.0.tgz',
|
|
})
|
|
|
|
expect(pkgSnapshotToResolution('@cdn.sheetjs.com/xlsx-0.18.9/xlsx-0.18.9.tgz', {
|
|
resolution: {
|
|
integrity: 'sha512-CCCC',
|
|
tarball: 'https://cdn.sheetjs.com/xlsx-0.18.9/xlsx-0.18.9.tgz',
|
|
},
|
|
}, { default: 'https://registry.npmjs.org/' })).toEqual({
|
|
integrity: 'sha512-CCCC',
|
|
tarball: 'https://cdn.sheetjs.com/xlsx-0.18.9/xlsx-0.18.9.tgz',
|
|
})
|
|
})
|
|
|
|
test('pkgSnapshotToResolution() rejects a remote tarball resolution that has no integrity', () => {
|
|
// A tampered or malformed lockfile that strips the `integrity` field
|
|
// would otherwise let pnpm download the URL contents unchecked. The
|
|
// helper must fail closed so neither install path nor any read-only
|
|
// consumer (sbom, list, etc.) silently trusts the lockfile entry.
|
|
expect(() => pkgSnapshotToResolution('foo@1.0.0', {
|
|
resolution: {
|
|
tarball: 'https://registry.npmjs.org/foo/-/foo-1.0.0.tgz',
|
|
},
|
|
}, { default: 'https://registry.npmjs.org/' })).toThrow(expect.objectContaining({ code: 'ERR_PNPM_MISSING_TARBALL_INTEGRITY' }))
|
|
|
|
// A tarball URL on an arbitrary CDN (no `gitHosted` flag, no known git
|
|
// host pattern) is still a regular remote tarball — integrity required.
|
|
expect(() => pkgSnapshotToResolution('xlsx@https+++cdn.sheetjs.com+xlsx-0.18.9+xlsx-0.18.9.tgz', {
|
|
resolution: {
|
|
tarball: 'https://cdn.sheetjs.com/xlsx-0.18.9/xlsx-0.18.9.tgz',
|
|
},
|
|
}, { default: 'https://registry.npmjs.org/' })).toThrow(expect.objectContaining({ code: 'ERR_PNPM_MISSING_TARBALL_INTEGRITY' }))
|
|
})
|
|
|
|
test('pkgSnapshotToResolution() allows git-hosted and file: tarballs to lack integrity', () => {
|
|
// Git-hosted tarballs are anchored by the commit SHA in their URL —
|
|
// pnpm's own install pipeline writes them without `integrity:` (see
|
|
// the `with-git-protocol-dep` fixture). Both the explicit
|
|
// `gitHosted: true` flag and a URL on a known git host must bypass
|
|
// the integrity check.
|
|
expect(pkgSnapshotToResolution('foo@https+++github.com+foo+bar', {
|
|
resolution: {
|
|
tarball: 'https://codeload.github.com/foo/bar/tar.gz/abc1234',
|
|
gitHosted: true,
|
|
},
|
|
}, { default: 'https://registry.npmjs.org/' })).toEqual({
|
|
tarball: 'https://codeload.github.com/foo/bar/tar.gz/abc1234',
|
|
gitHosted: true,
|
|
})
|
|
|
|
expect(pkgSnapshotToResolution('is-negative@https+++codeload.github.com+kevva+is-negative+tar.gz+abc', {
|
|
resolution: {
|
|
tarball: 'https://codeload.github.com/kevva/is-negative/tar.gz/abc1234',
|
|
},
|
|
}, { default: 'https://registry.npmjs.org/' })).toEqual({
|
|
tarball: 'https://codeload.github.com/kevva/is-negative/tar.gz/abc1234',
|
|
})
|
|
|
|
// `file:` tarballs are local files; the user already controls the
|
|
// bytes, and the install pipeline may write them without integrity.
|
|
expect(pkgSnapshotToResolution('local-pkg@file:local-pkg-1.0.0.tgz', {
|
|
resolution: {
|
|
tarball: 'file:local-pkg-1.0.0.tgz',
|
|
},
|
|
version: '1.0.0',
|
|
}, { default: 'https://registry.npmjs.org/' })).toEqual({
|
|
tarball: 'file:local-pkg-1.0.0.tgz',
|
|
})
|
|
})
|