adds verification if name and version of a downloaded plugin matches plugin center information

2025-10-31 02:25:53 +01:00 · 2020-08-05 16:54:48 +02:00
parent 1246fbd65c
commit 0287724b97
5 changed files with 125 additions and 13 deletions
--- a/scm-webapp/src/main/java/sonia/scm/plugin/PluginInstaller.java
+++ b/scm-webapp/src/main/java/sonia/scm/plugin/PluginInstaller.java
@@ -60,14 +60,49 @@ class PluginInstaller {
      Files.copy(input, file);

      verifyChecksum(plugin, input.hash(), file);
-      verifyConditions(context, file);
+
+      InstalledPluginDescriptor descriptor = smpDescriptorExtractor.extractPluginDescriptor(file);
+      PluginInstallationVerifier.verify(context, descriptor);
+
+      verifyInformation(plugin.getDescriptor(), descriptor);
+
      return new PendingPluginInstallation(plugin.install(), file);
+    } catch (PluginException ex) {
+      cleanup(file);
+      throw ex;
    } catch (IOException ex) {
      cleanup(file);
      throw new PluginDownloadException(plugin, ex);
    }
  }

+  private void verifyInformation(AvailablePluginDescriptor api, InstalledPluginDescriptor downloaded) {
+    verifyInformation(api.getInformation(), downloaded.getInformation());
+  }
+
+  private void verifyInformation(PluginInformation api, PluginInformation downloaded) {
+    if (!api.getName().equals(downloaded.getName())) {
+      throw new PluginInformationMismatchException(
+        api, downloaded,
+        String.format(
+          "downloaded plugin name \"%s\" does not match the expected name \"%s\" from plugin-center",
+          downloaded.getName(),
+          api.getName()
+        )
+      );
+    }
+    if (!api.getVersion().equals(downloaded.getVersion())) {
+      throw new PluginInformationMismatchException(
+        api, downloaded,
+        String.format(
+          "downloaded plugin version \"%s\" does not match the expected version \"%s\" from plugin-center",
+          downloaded.getVersion(),
+          api.getVersion()
+        )
+      );
+    }
+  }
+
  private void cleanup(Path file) {
    try {
      if (file != null) {
@@ -89,16 +124,6 @@ class PluginInstaller {
    }
  }

-  private void verifyConditions(PluginInstallationContext context, Path file) throws IOException {
-    InstalledPluginDescriptor pluginDescriptor = smpDescriptorExtractor.extractPluginDescriptor(file);
-    try {
-      PluginInstallationVerifier.verify(context, pluginDescriptor);
-    } catch (PluginException ex) {
-      cleanup(file);
-      throw ex;
-    }
-  }
-
  private InputStream download(AvailablePlugin plugin) throws IOException {
    return client.get(plugin.getDescriptor().getUrl()).request().contentAsStream();
  }