CPMR0073 - Script do not validate downloaded files
CPMR0073 - Script do not validate downloaded files
WARNING
This rule has been marked as a Requirement.
Requirements represent the minimum quality of a package that is acceptable. When a package version has failed requirements, the package version requires fixing and/or response by the maintainer. Provided a Requirement has flagged correctly, it must be fixed before the package version can be approved. The exact same version should be uploaded during moderation review.
Issue
In an automation script (.ps1
/.psm1
), one or more calls that downloads files from a remote location are used without verifying the checksums of these files.
The following helper functions are currently being validated by this rule, with possibly more being added in the future.
- `Install-ChocolateyPackage` - If the
Url
parameter is used, the associatedChecksum
parameter is additionally set (For 64bit this would beUrl64
/Url64bit
andChecksum64
). - `Install-ChocolateyZipPackage` - If the
Url
parameter is used, the associatedChecksum
parameter is additionally set (For 64bit this would beUrl64
/Url64bit
andChecksum64
). - `Get-ChocolateyWebFile` - If the
Url
parameter is used, the associatedChecksum
parameter is additionally set (For 64bit this would beUrl64
/Url64bit
andChecksum64
). - `Install-ChocolateyPowershellCommand` - If the
Url
parameter is used, the associatedChecksum
parameter is additionally set (For 64bit this would beUrl64
/Url64bit
andChecksum64
). - `Install-ChocolateyVsixPackage` - If the
VsixUrl
/Url
parameter is used, the associatedChecksum
parameter is additionally set. - `Get-WebFile` - A low-level download of a single file that should generally be avoided unless necessary, requires an additional call to
Get-ChecksumValid
using the same file name specified for the output. - `Get-FtpFile` - A low-level download of a single file that should generally be avoided unless necessary, requires an additional call to
Get-ChecksumValid
using the same file name specified for the output.
Recommended Solution
Update all calls to helper functions that download files from a remote location to include the use of their respective Checksum
property, or make a call to Get-ChecksumValid
if no such parameter exists.
Reasoning
All packages on the Chocolatey Community Repository should aim to be as safe and resilient as possible. Adding a checksum when downloading remote files helps with the security that the file is the same as the maintainer created the package for, and it has not been changed during the request.