Add production dependencies & build

Only allow download URLs pointing at the official S3 URL (#71 )
fixes #52
2026-02-15 20:46:53 +08:00 · 2021-01-13 11:30:58 +01:00 · 2021-01-13 05:18:46 -05:00
5 changed files with 5208 additions and 1 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,3 @@
 node_modules/
 __tests__/runner/*
-dist/
+!dist/
--- a/dist/index.js
+++ b/dist/index.js
--- a/dist/unzip
+++ b/dist/unzip
--- a/lib/installer.js
+++ b/lib/installer.js
@@ -146,6 +146,10 @@ function getDownloadURL(fileInfo, version, arch) {
    if (version == 'nightly') {
        return `${baseURL}/${getNightlyFileName(arch)}`;
    }
+    // Verify that fileInfo.url points at the official Julia download servers
+    if (!fileInfo.url.startsWith('https://julialang-s3.julialang.org/')) {
+        throw new Error(`versions.json points at a download location outside of Julia's download server: ${fileInfo.url}. Aborting for security reasons.`);
+    }
    return fileInfo.url;
 }
 exports.getDownloadURL = getDownloadURL;
--- a/src/installer.ts
+++ b/src/installer.ts
@@ -142,6 +142,10 @@ export function getDownloadURL(fileInfo, version: string, arch: string): string
        return `${baseURL}/${getNightlyFileName(arch)}`
    }

+    // Verify that fileInfo.url points at the official Julia download servers
+    if (!fileInfo.url.startsWith('https://julialang-s3.julialang.org/')) {
+        throw new Error(`versions.json points at a download location outside of Julia's download server: ${fileInfo.url}. Aborting for security reasons.`)
+    }
    return fileInfo.url
 }
Author	SHA1	Message	Date
Sascha Mann	0b9b1d2cd2	Add production dependencies & build	2021-01-13 11:30:58 +01:00
Sascha Mann	6fd5c3fbaf	Only allow download URLs pointing at the official S3 URL (#71 ) fixes #52	2021-01-13 05:18:46 -05:00