TestApplyRejectsChecksumMismatch: a binary whose hash doesn't match the manifest must NOT replace the local executable, else a corrupted CDN response or a swapped asset installs whatever bytes arrived.
(t *testing.T)
| 78 | // manifest must NOT replace the local executable, else a corrupted CDN |
| 79 | // response or a swapped asset installs whatever bytes arrived. |
| 80 | func TestApplyRejectsChecksumMismatch(t *testing.T) { |
| 81 | asset := platformAsset(t) |
| 82 | good := []byte("genuine binary v1\n") |
| 83 | tampered := []byte("malicious binary v1\n") // different bytes → different hash |
| 84 | |
| 85 | r := newFakeRelease(t, asset, tampered, hashOf(good)) |
| 86 | withReleaseURLs(t, r.srv.URL) |
| 87 | |
| 88 | tmpDir := t.TempDir() |
| 89 | exec := filepath.Join(tmpDir, "codehamr") |
| 90 | if err := os.WriteFile(exec, []byte("original\n"), 0o755); err != nil { |
| 91 | t.Fatal(err) |
| 92 | } |
| 93 | beforeHash := hashOf([]byte("original\n")) |
| 94 | |
| 95 | err := Apply(context.Background(), exec) |
| 96 | if err == nil { |
| 97 | t.Fatal("Apply must reject a binary that doesn't match the published checksum") |
| 98 | } |
| 99 | if !strings.Contains(err.Error(), "checksum mismatch") { |
| 100 | t.Fatalf("error must explain the mismatch, got: %v", err) |
| 101 | } |
| 102 | got, _ := os.ReadFile(exec) |
| 103 | if hashOf(got) != beforeHash { |
| 104 | t.Fatalf("local exec was replaced despite checksum mismatch") |
| 105 | } |
| 106 | } |
| 107 | |
| 108 | // TestApplyRestoresBinaryWhenPromoteFails covers the most dangerous failure: |
| 109 | // the running binary is moved aside to execPath+".old", then the promote |
nothing calls this directly
no test coverage detected