CPMR0073 - Script do not validate downloaded files

CPMR0073 - Script do not validate downloaded files

:choco-warning: WARNING

This rule has been marked as a Requirement.

Requirements represent the minimum quality of a package that is acceptable. When a package version has failed requirements, the package version requires fixing and/or response by the maintainer. Provided a Requirement has flagged correctly, it must be fixed before the package version can be approved. The exact same version should be uploaded during moderation review.

Issue

In an automation script (.ps1/.psm1), one or more calls that downloads files from a remote location are used without verifying the checksums of these files.

The following helper functions are currently being validated by this rule, with possibly more being added in the future.

  • Install-ChocolateyPackage - If the Url parameter is used, the associated Checksum parameter is additionally set (For 64bit this would be Url64 / Url64bit and Checksum64).
  • Install-ChocolateyZipPackage - If the Url parameter is used, the associated Checksum parameter is additionally set (For 64bit this would be Url64 / Url64bit and Checksum64).
  • Get-ChocolateyWebFile - If the Url parameter is used, the associated Checksum parameter is additionally set (For 64bit this would be Url64 / Url64bit and Checksum64).
  • Install-ChocolateyPowershellCommand - If the Url parameter is used, the associated Checksum parameter is additionally set (For 64bit this would be Url64 / Url64bit and Checksum64).
  • Install-ChocolateyVsixPackage - If the VsixUrl / Url parameter is used, the associated Checksum parameter is additionally set.
  • Get-WebFile - A low-level download of a single file that should generally be avoided unless necessary, requires an additional call to Get-ChecksumValid using the same file name specified for the output.
  • Get-FtpFile - A low-level download of a single file that should generally be avoided unless necessary, requires an additional call to Get-ChecksumValid using the same file name specified for the output.

Update all calls to helper functions that download files from a remote location to include the use of their respective Checksum property, or make a call to Get-ChecksumValid if no such parameter exists.

Reasoning

All packages on the Chocolatey Community Repository should aim to be as safe and resilient as possible. Adding a checksum when downloading remote files helps with the security that the file is the same as the maintainer created the package for, and it has not been changed during the request.