feat: harden download and install security

2026-03-21 20:48:53 +00:00 · 2026-03-21 20:48:53 +00:00 · af13e98eb3
commit af13e98eb3
parent f8ffb95376
33 changed files with 1517 additions and 46 deletions
--- a/crates/aim-core/tests/checksum_verification.rs
+++ b/crates/aim-core/tests/checksum_verification.rs
@ -20,6 +20,7 @@ fn install_succeeds_with_valid_trusted_checksum() {
        staged_payload_path: &staged_path,
        final_payload_path: &final_payload_path,
        trusted_checksum: Some(VALID_FIXTURE_SHA512),
+        weak_checksum_md5: None,
        desktop: None,
        helpers: DesktopHelpers::default(),
    })
@ -39,6 +40,7 @@ fn install_succeeds_without_trusted_checksum() {
        staged_payload_path: &staged_path,
        final_payload_path: &final_payload_path,
        trusted_checksum: None,
+        weak_checksum_md5: None,
        desktop: None,
        helpers: DesktopHelpers::default(),
    })
@ -57,6 +59,7 @@ fn install_fails_before_commit_when_trusted_checksum_mismatches() {
        staged_payload_path: &staged_path,
        final_payload_path: &final_payload_path,
        trusted_checksum: Some(VALID_FIXTURE_SHA512),
+        weak_checksum_md5: None,
        desktop: None,
        helpers: DesktopHelpers::default(),
    })
@ -77,6 +80,7 @@ fn malformed_trusted_checksum_fails_before_commit() {
        staged_payload_path: &staged_path,
        final_payload_path: &final_payload_path,
        trusted_checksum: Some("not-base64"),
+        weak_checksum_md5: None,
        desktop: None,
        helpers: DesktopHelpers::default(),
    })
@ -87,6 +91,46 @@ fn malformed_trusted_checksum_fails_before_commit() {
    assert!(!staged_path.exists());
 }

+#[test]
+fn install_succeeds_with_valid_weak_md5_checksum() {
+    let root = tempdir().unwrap();
+    let staged_path = write_staged_payload(root.path(), b"\x7fELFAppImage");
+    let final_payload_path = root.path().join("payloads/bat.AppImage");
+
+    let outcome = execute_install(&InstallRequest {
+        staged_payload_path: &staged_path,
+        final_payload_path: &final_payload_path,
+        trusted_checksum: None,
+        weak_checksum_md5: Some("474a0eb1bbe0a6e62715ce83922a5bf7"),
+        desktop: None,
+        helpers: DesktopHelpers::default(),
+    })
+    .unwrap();
+
+    assert!(outcome.final_payload_path.exists());
+}
+
+#[test]
+fn install_fails_before_commit_when_weak_md5_checksum_mismatches() {
+    let root = tempdir().unwrap();
+    let staged_path = write_staged_payload(root.path(), b"\x7fELFAppImage");
+    let final_payload_path = root.path().join("payloads/bat.AppImage");
+
+    let error = execute_install(&InstallRequest {
+        staged_payload_path: &staged_path,
+        final_payload_path: &final_payload_path,
+        trusted_checksum: None,
+        weak_checksum_md5: Some("00000000000000000000000000000000"),
+        desktop: None,
+        helpers: DesktopHelpers::default(),
+    })
+    .unwrap_err();
+
+    assert!(matches!(error, PayloadInstallError::WeakChecksumMismatch));
+    assert!(!final_payload_path.exists());
+    assert!(!staged_path.exists());
+}
+
 fn write_staged_payload(root: &std::path::Path, bytes: &[u8]) -> std::path::PathBuf {
    let staged_path = root.join("staging/bat.download");
    fs::create_dir_all(staged_path.parent().unwrap()).unwrap();