From 4ec7bb20f91271dd7ebf44417e4984ecb1dd17a4 Mon Sep 17 00:00:00 2001
From: Simon Byrne <simonbyrne@gmail.com>
Date: Wed, 9 May 2018 00:52:18 -0700
Subject: [PATCH] Download archives by tree hash instead of tag (#281)

* Download archives by tree hash instead of tag

Since we don't do any validation of the archives, downloading based on tag presents a potential security hole whereby a compromised repository retags a version.

This should fix that by downloading the archive for the tree directly. Note that the documentation (https://developer.github.com/v3/repos/contents/#get-archive-link) says that it should be a valid git reference, but using hashes seems to work as well.

* add note to method
---
 stdlib/Pkg3/src/Operations.jl | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/stdlib/Pkg3/src/Operations.jl b/stdlib/Pkg3/src/Operations.jl
index 754d8112b5ddb..f11f8358eea29 100644
--- a/stdlib/Pkg3/src/Operations.jl
+++ b/stdlib/Pkg3/src/Operations.jl
@@ -351,21 +351,24 @@ end
 ########################
 # Package installation #
 ########################
-function get_archive_url_for_version(url::String, version)
+function get_archive_url_for_version(url::String, ref)
     if (m = match(r"https://github.com/(.*?)/(.*?).git", url)) != nothing
-        return "https://github.com/$(m.captures[1])/$(m.captures[2])/archive/v$(version).tar.gz"
+        return "https://api.github.com/repos/$(m.captures[1])/$(m.captures[2])/tarball/$(ref)"
     end
     return nothing
 end
 
+# can be removed after https://github.com/JuliaLang/julia/pull/27036
+get_archive_url_for_version(url::String, hash::SHA1) = get_archive_url_for_version(url::String, string(hash))
+
 # Returns if archive successfully installed
 function install_archive(
     urls::Vector{String},
-    version::Union{VersionNumber,Nothing},
+    hash::SHA1,
     version_path::String
 )::Bool
     for url in urls
-        archive_url = get_archive_url_for_version(url, version)
+        archive_url = get_archive_url_for_version(url, hash)
         if archive_url != nothing
             path = tempname() * randstring(6) * ".tar.gz"
             url_success = true
@@ -496,7 +499,7 @@ function apply_versions(ctx::Context, pkgs::Vector{PackageSpec}, hashes::Dict{UU
                     continue
                 end
                 try
-                    success = install_archive(urls[pkg.uuid], pkg.version::VersionNumber, path)
+                    success = install_archive(urls[pkg.uuid], hashes[pkg.uuid], path)
                     put!(results, (pkg, success, path))
                 catch err
                     put!(results, (pkg, err, catch_backtrace()))