Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NodeInstaller skips node download when an empty bundle is present #20661

Open
mcollovati opened this issue Dec 10, 2024 · 2 comments
Open

NodeInstaller skips node download when an empty bundle is present #20661

mcollovati opened this issue Dec 10, 2024 · 2 comments

Comments

@mcollovati
Copy link
Collaborator

When Flow detects that node needs to be installed locally, it will download it in $HOME/.vaadin folder.
If the expected file is already there, NodeInstaller will skip the download.
However, if a previous download failed, an empty file could be present. This leads to the download being skipped, but then the node executable could not be extracted and used.

[INFO] The globally installed Node.js version 18.7.0 is older than the required minimum version 18.12.0. Using Node.js from /root/.vaadin.
[10:21:38 ] [INFO] Updating current installed node version from 22.11.0 to 22.12.0
[10:21:38 ] [INFO] Node 22.11.0 was installed, but we need version v22.12.0
[10:21:38 ] [INFO] Installing node version v22.12.0
[10:21:38 ] [INFO] Unpacking /root/.vaadin/node-v22.12.0-linux-x64.tar.gz (0 bytes) into /root/.vaadin/node/tmp

Flow could force download when the expected file exists but its size is zero.

@caalador
Copy link
Contributor

Node seems to provide a text file with sha256 sums. https://nodejs.org/dist/v22.12.0/SHASUMS256.txt
so the downloader should always also download that and then we need to parse the checksum for the target file. {sum} {file}

@knoobie
Copy link
Contributor

knoobie commented Dec 11, 2024

Note.. one might argue that this falls under CWE-494: Download of Code Without Integrity Check

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: 🔖 Low Priority (P3)
Development

No branches or pull requests

4 participants