feat(gong): verify SHA256 checksum of downloaded binary before installation#2001
Open
MusaMisto wants to merge 5 commits into
Open
feat(gong): verify SHA256 checksum of downloaded binary before installation#2001MusaMisto wants to merge 5 commits into
MusaMisto wants to merge 5 commits into
Conversation
Contributor
Prompt To Fix All With AIFix the following 2 code review issues. Work through them one at a time, proposing concise fixes.
---
### Issue 1 of 2
pkg/gong/gong.go:333
**Artifact name missing OS component may cause checksum lookup to always fail**
`artifactName` is built as `"gong_" + getArchName()` (e.g. `gong_amd64`), but the binary URL embeds the OS in the *path* (`releases/{version}/linux/gong_amd64`), not the filename. A single `checksums.txt` covering all platforms must distinguish linux/darwin/windows binaries of the same architecture. If the manifest uses `gong_linux_amd64` / `gong_darwin_amd64` (standard GoReleaser convention) or path-prefixed entries like `linux/gong_amd64`, then `parseChecksumManifest` will always return `"checksum entry not found for gong_amd64"` and every install will fail. Even if the current manifest uses bare `gong_amd64` entries, those entries are ambiguous when two platforms produce different binaries — `parseChecksumManifest` returns the first match regardless of the running OS, potentially accepting a hash intended for the wrong platform's binary.
### Issue 2 of 2
pkg/gong/gong.go:246-249
**No size cap on checksum manifest response**
`io.ReadAll` will buffer the entire response body without any size limit. A misbehaving or compromised server could return a very large body and exhaust memory. A modest cap (e.g. 1 MiB) is more than enough for a text checksum manifest.
```suggestion
data, err := io.ReadAll(io.LimitReader(resp.Body, 1<<20)) // 1 MiB cap
if err != nil {
return nil, fmt.Errorf("failed to read checksum file: %w", err)
}
```
Reviews (1): Last reviewed commit: "feat(gong): verify SHA256 checksum of do..." | Re-trigger Greptile |
karakanb
requested changes
May 5, 2026
karakanb
left a comment
Contributor
There was a problem hiding this comment.
can you please fix all the extra spaces in the code?
d7c4b61 to
5eafa72
Compare
…lation - Add checksum.go with parseChecksumManifest, verifySHA256, isValidSHA256 - Wire verification into downloadGong between write and chmod/rename - Add baseURL/installDir test-hook fields on Checker (zero value = no behavior change) - Add 20 unit tests and 4 httptest integration tests (32 total) - Add checksum block to .goreleaser.yaml (name_template: checksums.txt, algorithm: sha256) - Document Binary Integrity in SECURITY.md
5eafa72 to
03e1daa
Compare
…test.go Co-authored-by: Copilot <copilot@github.com>
…t.go, gong_install_test.go, and checksum_test.go Co-authored-by: Copilot <copilot@github.com>
…t.go and improve test assertions
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds SHA256 checksum verification to the gong helper binary download flow.
Before: binary was downloaded and installed with no integrity check.
After: download binary → download checksums.txt → verify SHA256 → install only if valid.
On any failure the temp file is discarded and the final path is never written.
Changes
pkg/gong/checksum.go— three stdlib-only helpers:parseChecksumManifest,verifySHA256,isValidSHA256. No new dependencies — crypto/sha256 is alreadyin the Go standard library.
pkg/gong/gong.go— wires verification intodownloadGongbetweentmpFile.Close()andos.Chmod/os.Rename. This placement is deliberate:the file must be fully written before its hash can be read, and chmod/rename
must never run on an unverified file. The existing
defer os.Remove(tmpPath)handles cleanup on any failure path automatically — the final path is never
created on a bad checksum.
Adds
baseURL/installDiras private zero-value fields rather than constructorparameters so the public API is completely unchanged; existing callers using
&Checker{}see no behavior difference..goreleaser.yaml— addschecksum: name_template: "checksums.txt" / algorithm: sha256. The filename must match the hardcoded path inbuildChecksumURL(/releases/{version}/checksums.txt) — making it explicitin the release config prevents any future divergence.
SECURITY.md— documents the new Binary Integrity behavior for users andmaintainers. Supply-chain integrity policy belongs in SECURITY.md, not README
or docs/, so it is independently linkable and not buried in installation steps.
Tests
edge cases including uppercase hash, missing file, invalid expected value)
httptest.Server: valid checksum installs,wrong checksum blocks, missing entry blocks, server failure blocks.
The "binary does not exist at final path" assertion in the failure cases is the
key safety proof — it confirms
os.Renamenever ran.Testing
go test ./pkg/gong/...: passed (32/32)pkg/...suite: passed for all packages unrelated to pre-existing CGObuild failures that reproduce identically on main (no C compiler on this
Windows dev machine; race detector requires GCC)