Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: properly handle missing algorithm type #48

Merged
merged 3 commits into from
Oct 4, 2022

Conversation

ahmedwelhakim
Copy link
Contributor

Fixing a bug that happen in npm cli when installing a library.

in Line 272 the result of parse can be null if integrity is null. Then in line 273 other is null so it breaks as below:

TypeError: Cannot read properties of null (reading 'pickAlgorithm')
npm verb stack     at Integrity.match (/usr/lib/node_modules/npm/node_modules/ssri/lib/index.js:273:24)
npm verb stack     at CachePolicy.satisfies (/usr/lib/node_modules/npm/node_modules/make-fetch-happen/lib/cache/policy.js:112:49)
npm verb stack     at Function.find (/usr/lib/node_modules/npm/node_modules/make-fetch-happen/lib/cache/entry.js:178:25)
npm verb stack     at async cacheFetch (/usr/lib/node_modules/npm/node_modules/make-fetch-happen/lib/cache/index.js:8:17)
npm verb stack     at async fetch (/usr/lib/node_modules/npm/node_modules/make-fetch-happen/lib/fetch.js:98:7)
function parse (sri, opts) {
  if (!sri) {
    return null
  }
  opts = ssriOpts(opts)
  if (typeof sri === 'string') {
    return _parse(sri, opts)
  } else if (sri.algorithm && sri.digest) {
    const fullSri = new Integrity()
    fullSri[sri.algorithm] = [sri]
    return _parse(stringify(fullSri, opts), opts)
  } else {
    return _parse(stringify(sri, opts), opts)
  }
}

Here parse can return null if sri is not defined or null.

  match (integrity, opts) {
    opts = ssriOpts(opts)
    const other = parse(integrity, opts)
    const algo = other.pickAlgorithm(opts) // HERE WHERE IT BREAKS
    return (
      this[algo] &&
      other[algo] &&
      this[algo].find(hash =>
        other[algo].find(otherhash =>
          hash.digest === otherhash.digest
        )
      )
    ) || false
  }

Here const algo = other.pickAlgoritm(opts) this where it breaks when other = null.
So we need to check whether other = null or not .
so a solution could be

const algo = other?.pickAlgorithm(opts) 

OR

if(!other) return false;
const algo = other.pickAlgorithm(opts) 

Reference

https://github.com/npm/cli/issues/5496
https://github.com/npm/cli/issues/3374

Fixing a bug that happen in npm cli when I install a library.
in Line 272 the result of parse can be null if integrity is null. Then in line 273 other is null so it breaks as below:
```
TypeError: Cannot read properties of null (reading 'pickAlgorithm')
npm verb stack     at Integrity.match (/usr/lib/node_modules/npm/node_modules/ssri/lib/index.js:273:24)
npm verb stack     at CachePolicy.satisfies (/usr/lib/node_modules/npm/node_modules/make-fetch-happen/lib/cache/policy.js:112:49)
npm verb stack     at Function.find (/usr/lib/node_modules/npm/node_modules/make-fetch-happen/lib/cache/entry.js:178:25)
npm verb stack     at async cacheFetch (/usr/lib/node_modules/npm/node_modules/make-fetch-happen/lib/cache/index.js:8:17)
npm verb stack     at async fetch (/usr/lib/node_modules/npm/node_modules/make-fetch-happen/lib/fetch.js:98:7)
```
@ahmedwelhakim ahmedwelhakim requested a review from a team as a code owner September 14, 2022 01:03
@wraithgar
Copy link
Member

The ? operator is not present in all of the versions of node that this module has to support.

Removing the optional chaining ? operator, which is not supported.
@ahmedwelhakim
Copy link
Contributor Author

The ? operator is not present in all of the versions of node that this module has to support.

I removed it.

@wraithgar
Copy link
Member

This will need a test to cover the if statement.

@ahmedwelhakim
Copy link
Contributor Author

This will need a test to cover the if statement.

I added it

@wraithgar wraithgar changed the title Fixing a bug fix: properly handle missing algorithm type Sep 14, 2022
@wraithgar wraithgar self-assigned this Sep 14, 2022
@wraithgar wraithgar merged commit 2e876d1 into npm:main Oct 4, 2022
@github-actions github-actions bot mentioned this pull request Oct 4, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants