Re-apply a71615a. Fixes #3265 again, with a test!

a71615a accidentally got reverted by 355bb7e, which split the changed file into multiple files. Original commit message: Check SHA before using files from cache Fixes #3265. Because 'npm install' *always* writes every package to the cache (even if it isn't installed from the registry) before installing it, it's easy to end up in a situation where "npm install foo" installs something other than the appropriate version from the registry. eg: npm cache clean # Install a fork of version 0.0.1: npm install https://github.com/glasser/npm-cache-corruption/tarball/93c447e rm -rf node_modules # Before this commit, this would install the same fork as above npm install npm-cache-corruption
npm · Sep 22, 2014 · 9d1a9db · 9d1a9db · MylesBorins · Oct 9, 2014
1 parent 1d41db0
commit 9d1a9db
Show file tree

Hide file tree

Showing 3 changed files with 106 additions and 0 deletions.
diff --git a/lib/cache/add-named.js b/lib/cache/add-named.js
@@ -158,6 +158,10 @@ function addNameVersion (name, v, data, cb) {
           if (er && er.code !== "ENOENT" && er.code !== "ENOTDIR")
             return cb(er)
           if (er) return fetchit()
+          // check the SHA of the package we have, to ensure it wasn't installed
+          // from somewhere other than the registry (eg, a fork)
+          if (data._shasum && dist.shasum && data._shasum !== dist.shasum)
+            return fetchit()
           return cb(null, data)
         })
       } else return fetchit()

diff --git a/test/tap/cache-shasum-fork.js b/test/tap/cache-shasum-fork.js
@@ -0,0 +1,102 @@
+var npm = require.resolve("../../")
+var test = require("tap").test
+var path = require("path")
+var fs = require("fs")
+var rimraf = require("rimraf")
+var mkdirp = require("mkdirp")
+var mr = require("npm-registry-mock")
+var common = require("../common-tap.js")
+var cache = path.resolve(__dirname, "cache-shasum-fork", "CACHE")
+var cwd = path.resolve(__dirname, "cache-shasum-fork", "CWD")
+var spawn = require("child_process").spawn
+var server
+
+// Test for https://github.com/npm/npm/issues/3265
+
+test("mock reg", function(t) {
+  rimraf.sync(cache)
+  mkdirp.sync(cache)
+  rimraf.sync(cwd)
+  mkdirp.sync(path.join(cwd, "node_modules"))
+  mr(common.port, function (s) {
+    server = s
+    t.pass("ok")
+    t.end()
+  })
+})
+
+test("npm cache - install from fork", function(t) {
+  // Install from a tarball that thinks it is underscore@1.5.1
+  // (but is actually a fork)
+  var forkPath = path.resolve(
+    __dirname, "cache-shasum-fork", "underscore-1.5.1.tgz")
+  var output = ""
+    , child = spawn(process.execPath, [npm, "install", forkPath], {
+      cwd: cwd,
+      env: {
+        "npm_config_cache"    : cache,
+        "npm_config_registry" : common.registry,
+        "npm_config_loglevel" : "silent"
+      }
+    })
+
+  child.stderr.on("data", function(d) {
+    t.fail("Should not get data on stderr: " + d)
+  })
+
+  child.stdout.on("data", function(d) {
+    output += d.toString()
+  })
+
+  child.on("close", function(code) {
+    t.equal(code, 0, "exit ok")
+    t.equal(output, "underscore@1.5.1 node_modules/underscore\n")
+    var index = fs.readFileSync(
+      path.join(cwd, "node_modules", "underscore", "index.js"),
+      "utf8"
+    )
+    t.equal(index, 'console.log("This is the fork");\n\n')
+    t.end()
+  })
+})
+
+test("npm cache - install from origin", function(t) {
+  // Now install the real 1.5.1.
+  rimraf.sync(path.join(cwd, "node_modules"))
+  mkdirp.sync(path.join(cwd, "node_modules"))
+  var output = ""
+    , child = spawn(process.execPath, [npm, "install", "underscore"], {
+      cwd: cwd,
+      env: {
+        "npm_config_cache"    : cache,
+        "npm_config_registry" : common.registry,
+        "npm_config_loglevel" : "silent"
+      }
+    })
+
+  child.stderr.on("data", function(d) {
+    t.fail("Should not get data on stderr: " + d)
+  })
+
+  child.stdout.on("data", function(d) {
+    output += d.toString()
+  })
+
+  child.on("close", function(code) {
+    t.equal(code, 0, "exit ok")
+    t.equal(output, "underscore@1.5.1 node_modules/underscore\n")
+    var index = fs.readFileSync(
+      path.join(cwd, "node_modules", "underscore", "index.js"),
+      "utf8"
+    )
+    t.equal(index, "module.exports = require('./underscore');\n")
+    t.end()
+  })
+})
+
+test("cleanup", function(t) {
+  server.close()
+  rimraf.sync(cache)
+  rimraf.sync(cwd)
+  t.end()
+})
diff --git a/test/tap/cache-shasum-fork/underscore-1.5.1.tgz b/test/tap/cache-shasum-fork/underscore-1.5.1.tgz