added code for checksum verification

2026-06-08 06:17:07 +00:00 · 2022-01-18 15:34:13 +05:30 · 2022-01-18 15:34:13 +05:30 · a845b2776b
commit a845b2776b
parent 0045e636d8
7 changed files with 54 additions and 9 deletions
--- a/.gitignore
+++ b/.gitignore
@ -101,4 +101,7 @@ typings/
 .dynamodb/

 # TernJS port file
-.tern-port
+.tern-port
+
+# vscode files
+.vscode
--- a/action.yml
+++ b/action.yml
@ -9,6 +9,10 @@ inputs:
    description: 'Policy for outbound traffic, can be either audit or block'
    required: false
    default: 'block'
+  expected_checksum:
+    description: 'Expected sha256 checksum of latest agent.tar.gz file'
+    default: "a5f466fc5c8a9b809afd421e0f32903da98908feab5a245c734d3775e2e10032"
+    required: true
 branding:
  icon: 'check-square'  
  color: 'green'
--- a/dist/pre/index.js
+++ b/dist/pre/index.js
@ -6261,6 +6261,23 @@ function printInfo(web_url) {

 // EXTERNAL MODULE: ./node_modules/@actions/tool-cache/lib/tool-cache.js
 var tool_cache = __nccwpck_require__(7784);
+// EXTERNAL MODULE: external "crypto"
+var external_crypto_ = __nccwpck_require__(6417);
+;// CONCATENATED MODULE: ./src/checksum_verify.ts
+
+
+
+function checksumVerify(downloadPath) {
+    const fileBuffer = external_fs_.readFileSync(downloadPath);
+    const checksum = external_crypto_.createHash("sha256").update(fileBuffer).digest('hex'); // checksum of downloaded file
+    const expectedChecksum = core.getInput("expected_checksum"); // default checksum
+    if (checksum !== expectedChecksum) {
+        core.error(`Checksum verification failed.`);
+        core.setFailed(`Checksum expected ${expectedChecksum} instead got ${checksum}`);
+    }
+    core.debug("Checksum verification passed.");
+}
+
 ;// CONCATENATED MODULE: ./src/setup.ts
 var __awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
@ -6279,6 +6296,7 @@ var __awaiter = (undefined && undefined.__awaiter) || function (thisArg, _argume



+
 (() => __awaiter(void 0, void 0, void 0, function* () {
    try {
        if (process.platform !== "linux") {
@ -6316,6 +6334,7 @@ var __awaiter = (undefined && undefined.__awaiter) || function (thisArg, _argume
        external_child_process_.execSync("sudo mkdir -p /home/agent");
        external_child_process_.execSync("sudo chown -R $USER /home/agent");
        const downloadPath = yield tool_cache.downloadTool("https://github.com/step-security/agent/releases/download/v0.8.6/agent_0.8.6_linux_amd64.tar.gz");
+        checksumVerify(downloadPath); // NOTE: verifying agent's checksum, before extracting
        const extractPath = yield tool_cache.extractTar(downloadPath);
        console.log(`Step Security Job Correlation ID: ${correlation_id}`);
        printInfo(web_url);
--- a/dist/pre/index.js.map
+++ b/dist/pre/index.js.map
--- a/package-lock.json
+++ b/package-lock.json
@ -1,12 +1,12 @@
 {
    "name": "step-security-harden-runner",
-    "version": "0.3.0",
+    "version": "1.1.0",
    "lockfileVersion": 2,
    "requires": true,
    "packages": {
        "": {
            "name": "step-security-harden-runner",
-            "version": "0.3.0",
+            "version": "1.1.0",
            "license": "Apache License 2.0",
            "dependencies": {
                "@actions/core": "^1.5.0",
@ -958,7 +958,6 @@
                "jest-resolve": "^26.6.2",
                "jest-util": "^26.6.2",
                "jest-worker": "^26.6.2",
-                "node-notifier": "^8.0.0",
                "slash": "^3.0.0",
                "source-map": "^0.6.0",
                "string-length": "^4.0.1",
@ -2567,8 +2566,7 @@
                "esprima": "^4.0.1",
                "estraverse": "^5.2.0",
                "esutils": "^2.0.2",
-                "optionator": "^0.8.1",
-                "source-map": "~0.6.1"
+                "optionator": "^0.8.1"
            },
            "bin": {
                "escodegen": "bin/escodegen.js",
@ -4207,7 +4205,6 @@
                "@types/node": "*",
                "anymatch": "^3.0.3",
                "fb-watchman": "^2.0.0",
-                "fsevents": "^2.1.2",
                "graceful-fs": "^4.2.4",
                "jest-regex-util": "^26.0.0",
                "jest-serializer": "^26.6.2",
--- a/src/checksum_verify.ts
+++ b/src/checksum_verify.ts
@ -0,0 +1,20 @@
+import * as core from "@actions/core";
+import * as crypto from "crypto"
+import * as fs from "fs"
+
+export function checksumVerify(downloadPath: string){
+
+
+    const fileBuffer:Buffer = fs.readFileSync(downloadPath)
+    const checksum: string = crypto.createHash("sha256").update(fileBuffer).digest('hex'); // checksum of downloaded file
+
+    const expectedChecksum: string = core.getInput("expected_checksum") // default checksum
+    
+    if(checksum !== expectedChecksum){
+        core.error(`Checksum verification failed.`)
+        core.setFailed(`Checksum expected ${expectedChecksum} instead got ${checksum}`)
+    }
+
+    core.debug("Checksum verification passed.")
+
+}
--- a/src/setup.ts
+++ b/src/setup.ts
@ -6,7 +6,7 @@ import * as path from "path";
 import { v4 as uuidv4 } from "uuid";
 import { printInfo } from "./common";
 import * as tc from "@actions/tool-cache";
-
+import {checksumVerify} from "./checksum_verify"
 (async () => {
  try {
    if (process.platform !== "linux") {
@ -56,6 +56,8 @@ import * as tc from "@actions/tool-cache";
    const downloadPath: string = await tc.downloadTool(
      "https://github.com/step-security/agent/releases/download/v0.8.6/agent_0.8.6_linux_amd64.tar.gz"
    );
+    
+    checksumVerify(downloadPath) // NOTE: verifying agent's checksum, before extracting
    const extractPath = await tc.extractTar(downloadPath);

    console.log(`Step Security Job Correlation ID: ${correlation_id}`);