julia-actions/setup-julia
1
0
Fork 0
mirror of https://github.com/julia-actions/setup-julia.git synced 2026-02-12 11:06:53 +08:00
Code Issues Packages Projects Releases Wiki Activity

Only allow download URLs pointing at the official S3 URL (#71)

Browse Source 
fixes #52
This commit is contained in:
Sascha Mann
2021-01-13 11:18:46 +01:00
committed by GitHub
parent d57803fb22
commit 6fd5c3fbaf
2 changed files with 8 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
lib/installer.js generated
View File

@@ -146,6 +146,10 @@ function getDownloadURL(fileInfo, version, arch) {
if (version == 'nightly') { if (version == 'nightly') {
return `${baseURL}/${getNightlyFileName(arch)}`; return `${baseURL}/${getNightlyFileName(arch)}`;
} }
// Verify that fileInfo.url points at the official Julia download servers
if (!fileInfo.url.startsWith('https://julialang-s3.julialang.org/')) {
throw new Error(`versions.json points at a download location outside of Julia's download server: ${fileInfo.url}. Aborting for security reasons.`);
}
return fileInfo.url; return fileInfo.url;
} }
exports.getDownloadURL = getDownloadURL; exports.getDownloadURL = getDownloadURL;

4
src/installer.ts
View File

@@ -142,6 +142,10 @@ export function getDownloadURL(fileInfo, version: string, arch: string): string
return `${baseURL}/${getNightlyFileName(arch)}` return `${baseURL}/${getNightlyFileName(arch)}`
} }
// Verify that fileInfo.url points at the official Julia download servers
if (!fileInfo.url.startsWith('https://julialang-s3.julialang.org/')) {
throw new Error(`versions.json points at a download location outside of Julia's download server: ${fileInfo.url}. Aborting for security reasons.`)
}
return fileInfo.url return fileInfo.url
} }