Skip to content

security: fail-closed binary checksum verification + version-tag validation#362

Open
rafaelfiguereod-stack wants to merge 1 commit into
CloakHQ:mainfrom
rafaelfiguereod-stack:upstream-supplychain-hardening
Open

security: fail-closed binary checksum verification + version-tag validation#362
rafaelfiguereod-stack wants to merge 1 commit into
CloakHQ:mainfrom
rafaelfiguereod-stack:upstream-supplychain-hardening

Conversation

@rafaelfiguereod-stack

Copy link
Copy Markdown

Summary

Two small, self-contained, backward-compatible hardening changes to the binary supply chain (Python + TS clients), with new tests.

1. Checksum verification fails closed (was fail-open)

_verify_download_checksum / verifyDownloadChecksum previously logged a warning and used the binary when SHA256SUMS could not be fetched, or had no entry for the platform archive. Since every release publishes SHA256SUMS (and there's a build-provenance attestation), the client should enforce it:

  • Missing checksums / missing entry now raise instead of proceeding.
  • The existing CLOAKBROWSER_SKIP_CHECKSUM=true escape hatch is preserved (custom mirrors / offline builds).
  • _fetch_checksums now skips an empty parse (e.g. a redirect to an HTML 404 page) and falls through to the next mirror, so a misbehaving primary can't shadow a good fallback or satisfy the check with junk. _parse_checksums requires a valid 64‑hex digest per line (the TS regex already did).

I verified that the live release SHA256SUMS is reachable and contains each platform's entry, so this does not break installs.

2. Version‑tag validation

The Chromium version comes from the GitHub release tag name and flows into cache paths, download URLs, and (Windows, TS client) the PowerShell zip‑extraction command. Added is_safe_version_tag / isSafeVersionTag (^\d+(\.\d+){0,9}$):

  • _get_latest_chromium_version / getLatestChromiumVersion skip any release whose version isn't plain dotted‑numeric.
  • Cache‑marker versions are validated before use in get_effective_version.
  • TS zip extraction passes the archive/destination paths to PowerShell via environment variables instead of interpolating them into the -Command string, so a path/version containing a quote can't be parsed as code.

Tests

  • New tests/test_supplychain_hardening.py (fail‑closed, mirror fall‑through, version validation) — passing.
  • tsc --noEmit clean. (Pre‑existing Windows‑only failures in test_update/test_config/test_extract are unrelated — they hard‑code .tar.gz/POSIX paths.)

Deliberately NOT included here (to avoid duplicating existing open PRs)

Happy to adjust scope, split, or rename anything if preferred.

…dation

Two self-contained, backward-compatible hardening changes to the binary
supply chain (Python + TS clients), with new tests.

1. Checksum verification fails CLOSED. _verify_download_checksum /
   verifyDownloadChecksum previously warned and ran the binary when
   SHA256SUMS was missing or had no entry for the platform archive; they
   now raise. The CLOAKBROWSER_SKIP_CHECKSUM=true escape hatch is kept for
   custom mirrors. _fetch_checksums skips empty/non-SHA256SUMS bodies (e.g.
   a redirect to an HTML 404) and falls through to the next mirror;
   _parse_checksums requires a 64-hex digest per line.

2. Version-tag validation. The Chromium version (from the GitHub release
   tag) flows into cache paths, URLs, and the Windows PowerShell zip
   extraction. Added is_safe_version_tag / isSafeVersionTag
   (^\d+(\.\d+){0,9}$); latest-version and cache-marker versions are
   validated before use, and TS zip extraction passes paths to PowerShell
   via env vars instead of -Command string interpolation.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants