remove url/checksum arguments from /v2/pkgs/tools/installed endpoint

This is a security risk. They were overriding packager,toolname,version from package index.

Author: umbynos

v2/pkgs/tools.go

@@ -135,12 +135,6 @@ func (c *Tools) Installed(ctx context.Context) (tools.ToolCollection, error) {
 // Install crawles the Index folder, downloads the specified tool, extracts the archive in the Tools Folder.
 // It checks for the Signature specified in the package index.
 func (c *Tools) Install(ctx context.Context, payload *tools.ToolPayload) (*tools.Operation, error) {
-	path := filepath.Join(payload.Packager, payload.Name, payload.Version)
-
-	if payload.URL != nil {
-		return c.install(ctx, path, *payload.URL, *payload.Checksum)
-	}
-
 	list, err := c.Indexes.List(ctx)
 	if err != nil {
 		return nil, err
@@ -160,10 +154,7 @@ func (c *Tools) Install(ctx context.Context, payload *tools.ToolPayload) (*tools
 			for _, tool := range packager.Tools {
 				if tool.Name == payload.Name &&
 					tool.Version == payload.Version {
-
-					i := findSystem(tool)
-
-					return c.install(ctx, path, tool.Systems[i].URL, tool.Systems[i].Checksum)
+					return c.install(ctx, payload.Packager, tool)
 				}
 			}
 		}
@@ -174,9 +165,12 @@ func (c *Tools) Install(ctx context.Context, payload *tools.ToolPayload) (*tools
 			payload.Packager, payload.Name, payload.Version))
 }
 
-func (c *Tools) install(ctx context.Context, path, url, checksum string) (*tools.Operation, error) {
+func (c *Tools) install(ctx context.Context, packager string, tool Tool) (*tools.Operation, error) {
+	i := findSystem(tool)
+	path := filepath.Join(packager, tool.Name, tool.Version)
+
 	// Download
-	res, err := http.Get(url)
+	res, err := http.Get(tool.Systems[i].URL)
 	if err != nil {
 		return nil, err
 	}
@@ -201,7 +195,7 @@ func (c *Tools) install(ctx context.Context, path, url, checksum string) (*tools
 	sum := sha256.Sum256(buffer.Bytes())
 	sumString := "SHA-256:" + hex.EncodeToString(sum[:sha256.Size])
 
-	if sumString != checksum {
+	if sumString != tool.Systems[i].Checksum {
 		os.RemoveAll(path)
 		return nil, errors.New("checksum doesn't match")
 	}

v2/pkgs/tools_test.go

@@ -21,7 +21,6 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"os"
-	"runtime"
 	"strings"
 	"testing"
 
@@ -131,52 +130,4 @@ func TestTools(t *testing.T) {
 	if len(installed) != 0 {
 		t.Fatalf("expected %d == %d (%s)", len(installed), 0, "len(installed)")
 	}
-
-	// Install a tool by specifying url and checksum
-	_, err = service.Install(ctx, &tools.ToolPayload{
-		Packager: "arduino",
-		Name:     "avrdude",
-		Version:  "6.0.1-arduino2",
-		URL:      strpoint(url()),
-		Checksum: strpoint(checksum()),
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	installed, err = service.Installed(ctx)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if len(installed) != 1 {
-		t.Fatalf("expected %d == %d (%s)", len(installed), 1, "len(installed)")
-	}
-}
-
-func strpoint(s string) *string {
-	return &s
-}
-
-func url() string {
-	urls := map[string]string{
-		"linuxamd64":   "https://downloads.arduino.cc/tools/avrdude-6.0.1-arduino2-x86_64-pc-linux-gnu.tar.bz2",
-		"linux386":     "https://downloads.arduino.cc/tools/avrdude-6.0.1-arduino2-i686-pc-linux-gnu.tar.bz2",
-		"darwinamd64":  "https://downloads.arduino.cc/tools/avrdude-6.0.1-arduino2-i386-apple-darwin11.tar.bz2",
-		"windows386":   "https://downloads.arduino.cc/tools/avrdude-6.0.1-arduino2-i686-mingw32.zip",
-		"windowsamd64": "https://downloads.arduino.cc/tools/avrdude-6.0.1-arduino2-i686-mingw32.zip",
-	}
-
-	return urls[runtime.GOOS+runtime.GOARCH]
-}
-
-func checksum() string {
-	checksums := map[string]string{
-		"linuxamd64":   "SHA-256:2489004d1d98177eaf69796760451f89224007c98b39ebb5577a9a34f51425f1",
-		"linux386":     "SHA-256:6f633dd6270ad0d9ef19507bcbf8697b414a15208e4c0f71deec25ef89cdef3f",
-		"darwinamd64":  "SHA-256:71117cce0096dad6c091e2c34eb0b9a3386d3aec7d863d2da733d9e5eac3a6b1",
-		"windows386":   "SHA-256:6c5483800ba753c80893607e30cade8ab77b182808fcc5ea15fa3019c63d76ae",
-		"windowsamd64": "SHA-256:6c5483800ba753c80893607e30cade8ab77b182808fcc5ea15fa3019c63d76ae",
-	}
-	return checksums[runtime.GOOS+runtime.GOARCH]
-
 }