GitArchiveInputScheme: Verify the locked tree hash

2025-11-30 22:20:59 +01:00 · 2023-02-03 15:31:36 +01:00 · 2023-02-03 15:31:36 +01:00 · 219510b6ab
commit 219510b6ab
parent ca26ce994b
3 changed files with 36 additions and 19 deletions
--- a/src/libfetchers/github.cc
+++ b/src/libfetchers/github.cc
@ -107,8 +107,11 @@ struct GitArchiveInputScheme : InputScheme
    {
        if (maybeGetStrAttr(attrs, "type") != type()) return {};

+        static std::unordered_set<std::string> known =
+            {"type", "owner", "repo", "ref", "rev", "narHash", "lastModified", "host", "treeHash"};
+
        for (auto & [name, value] : attrs)
-            if (name != "type" && name != "owner" && name != "repo" && name != "ref" && name != "rev" && name != "narHash" && name != "lastModified" && name != "host")
+            if (!known.contains(name))
                throw Error("unsupported input attribute '%s'", name);

        getStrAttr(attrs, "owner");
@ -155,6 +158,23 @@ struct GitArchiveInputScheme : InputScheme
        return input;
    }

+    std::optional<Hash> getTreeHash(const Input & input) const
+    {
+        if (auto treeHash = maybeGetStrAttr(input.attrs, "treeHash"))
+            return Hash::parseAny(*treeHash, htSHA1);
+        else
+            return std::nullopt;
+    }
+
+    void checkLocks(const Input & specified, const Input & final) const override
+    {
+        if (auto prevTreeHash = getTreeHash(specified)) {
+            if (getTreeHash(final) != prevTreeHash)
+                throw Error("Git tree hash mismatch in input '%s', expected '%s'",
+                    specified.to_string(), prevTreeHash->gitRev());
+        }
+    }
+
    std::optional<std::string> getAccessToken(const std::string & host) const
    {
        auto tokens = fetchSettings.accessTokens.get();
@ -214,9 +234,6 @@ struct GitArchiveInputScheme : InputScheme

        auto treeHash = importTarball(*source);

-        // FIXME: verify against locked tree hash.
-        input.attrs.insert_or_assign("treeHash", treeHash.gitRev());
-
        cache->upsertFact(treeHashKey, treeHash.gitRev());

        return {std::move(input), treeHash};
@ -226,6 +243,8 @@ struct GitArchiveInputScheme : InputScheme
    {
        auto [input, treeHash] = downloadArchive(store, _input);

+        input.attrs.insert_or_assign("treeHash", treeHash.gitRev());
+
        auto accessor = makeTarballCacheAccessor(treeHash);

        #if 0