Only allow download URLs pointing at the official S3 URL (#71)

fixes #52
2026-02-12 11:06:53 +08:00 · 2021-01-13 11:18:46 +01:00
parent d57803fb22
commit 6fd5c3fbaf
2 changed files with 8 additions and 0 deletions
--- a/src/installer.ts
+++ b/src/installer.ts
@@ -142,6 +142,10 @@ export function getDownloadURL(fileInfo, version: string, arch: string): string
        return `${baseURL}/${getNightlyFileName(arch)}`
    }

+    // Verify that fileInfo.url points at the official Julia download servers
+    if (!fileInfo.url.startsWith('https://julialang-s3.julialang.org/')) {
+        throw new Error(`versions.json points at a download location outside of Julia's download server: ${fileInfo.url}. Aborting for security reasons.`)
+    }
    return fileInfo.url
 }