From 29b91c94d25fa6afa29404fd4fc7ec92d98782b5 Mon Sep 17 00:00:00 2001 From: Alejandro Romero Herrera Date: Sat, 29 Aug 2020 00:13:14 +0300 Subject: [PATCH 1/3] Avoid MITM attacks by verifying download integrity --- install.js | 24 ++++++++++++++++++++++-- package.json | 8 ++++---- 2 files changed, 26 insertions(+), 6 deletions(-) diff --git a/install.js b/install.js index 207765b..316198a 100644 --- a/install.js +++ b/install.js @@ -3,8 +3,10 @@ var fs = require('fs'); var path = require('path'); var os = require('os'); var unzip = require('unzip'); +var crypto = require('crypto'); var WIX_BINARY_URL = 'http://static.wixtoolset.org/releases/v3.9.1006.0/wix39-binaries.zip' +var zip_hash = '0f05d338d364b348d20c1ccb79f6103cc5209417382ce1e705ce436ea85fb46f0bc32b75d5f5de9ad62bbda5b2d93ff9f1497370e918d5ef0c3fa12d60308ca1'; var zipPath = path.resolve(os.tmpdir(), 'wix.zip'); var file = fs.createWriteStream(zipPath); @@ -15,8 +17,26 @@ var request = http.get(WIX_BINARY_URL, function(response) { process.stdout.write("."); }); response.on('end', function() { - console.log('Extracting'); - fs.createReadStream(zipPath).pipe(unzip.Extract({path: path.resolve(__dirname, 'wix-bin')})); + console.log('Download complete'); + console.log('Starting integrity check...'); + + // Verify file using hash make MITM harder + var fstream = fs.createReadStream(zipPath); + var hash = crypto.createHash('sha512'); + hash.setEncoding('hex'); + + fstream.on('end', function() { + hash.end(); + calculated_hash = hash.read(); + if (zip_hash === calculated_hash){ + console.log('Extracting'); + fs.createReadStream(zipPath).pipe(unzip.Extract({path: path.resolve(__dirname, 'wix-bin')})); + console.log("Extraction complete") + }else{ + console.log(`File verification failed:\nDownloaded file sha512: ${calculated_hash}`); + } + }); + fstream.pipe(hash); }) }); diff --git a/package.json b/package.json index f41ecc0..bda8110 100644 --- a/package.json +++ b/package.json @@ -11,11 +11,11 @@ "author": "", "license": "ISC", "dependencies": { + "crypto": "^1.0.1", "unzip": "^0.1.11" }, - "repository" : - { "type" : "git" - , "url" : "https://github.com/rewiredpictures/node-wixtoolset.git" + "repository": { + "type": "git", + "url": "https://github.com/rewiredpictures/node-wixtoolset.git" } - } From 214ce4d6118d00cbc190197fca77bec39759473c Mon Sep 17 00:00:00 2001 From: Alejandro Romero Herrera Date: Sat, 29 Aug 2020 13:17:18 +0300 Subject: [PATCH 2/3] Added exit status for hash mismatch --- install.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/install.js b/install.js index 316198a..0e26f62 100644 --- a/install.js +++ b/install.js @@ -33,7 +33,8 @@ var request = http.get(WIX_BINARY_URL, function(response) { fs.createReadStream(zipPath).pipe(unzip.Extract({path: path.resolve(__dirname, 'wix-bin')})); console.log("Extraction complete") }else{ - console.log(`File verification failed:\nDownloaded file sha512: ${calculated_hash}`); + console.error(`File verification failed:\nDownloaded file sha512: ${calculated_hash}`); + process.exit(-1); } }); fstream.pipe(hash); From f0d8983615ba316560bfe20705a4c8c3ba8ebc67 Mon Sep 17 00:00:00 2001 From: Alejandro Romero Herrera Date: Sun, 30 Aug 2020 18:41:29 +0300 Subject: [PATCH 3/3] Added file deletion in case of hash mismatch --- install.js | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/install.js b/install.js index 0e26f62..bdfeac7 100644 --- a/install.js +++ b/install.js @@ -34,7 +34,11 @@ var request = http.get(WIX_BINARY_URL, function(response) { console.log("Extraction complete") }else{ console.error(`File verification failed:\nDownloaded file sha512: ${calculated_hash}`); - process.exit(-1); + fs.unlink(zipPath, function(err) { + if (err) throw err; + console.log('File deleted'); + process.exit(-1); + }); } }); fstream.pipe(hash);