From 6fd5c3fbaf2c6fd13a2f62f1d05caa8ea36dac5a Mon Sep 17 00:00:00 2001
From: Sascha Mann <git@mail.saschamann.eu>
Date: Wed, 13 Jan 2021 11:18:46 +0100
Subject: [PATCH] Only allow download URLs pointing at the official S3 URL
 (#71)

fixes #52
---
 lib/installer.js | 4 ++++
 src/installer.ts | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/lib/installer.js b/lib/installer.js
index 085dfac..28c8232 100644
--- a/lib/installer.js
+++ b/lib/installer.js
@@ -146,6 +146,10 @@ function getDownloadURL(fileInfo, version, arch) {
     if (version == 'nightly') {
         return `${baseURL}/${getNightlyFileName(arch)}`;
     }
+    // Verify that fileInfo.url points at the official Julia download servers
+    if (!fileInfo.url.startsWith('https://julialang-s3.julialang.org/')) {
+        throw new Error(`versions.json points at a download location outside of Julia's download server: ${fileInfo.url}. Aborting for security reasons.`);
+    }
     return fileInfo.url;
 }
 exports.getDownloadURL = getDownloadURL;
diff --git a/src/installer.ts b/src/installer.ts
index 336a645..29442f0 100644
--- a/src/installer.ts
+++ b/src/installer.ts
@@ -142,6 +142,10 @@ export function getDownloadURL(fileInfo, version: string, arch: string): string
         return `${baseURL}/${getNightlyFileName(arch)}`
     }
 
+    // Verify that fileInfo.url points at the official Julia download servers
+    if (!fileInfo.url.startsWith('https://julialang-s3.julialang.org/')) {
+        throw new Error(`versions.json points at a download location outside of Julia's download server: ${fileInfo.url}. Aborting for security reasons.`)
+    }
     return fileInfo.url
 }