Upgrade xapian to 1.4.31 and add sha256 check to avoid supply chain attack

2026-03-29 14:59:45 +00:00 · 2026-03-29 13:13:57 +02:00
parent fcce34fde5
commit e47b6ba105
3 changed files with 117 additions and 97 deletions
--- a/core/management/commands/install_xapian.py
+++ b/core/management/commands/install_xapian.py
@@ -39,12 +39,16 @@ class Command(BaseCommand):
            return None
        return xapian.version_string()

-    def _desired_version(self) -> str:
+    def _desired_version(self) -> tuple[str, str, str]:
        with open(
            Path(__file__).parent.parent.parent.parent / "pyproject.toml", "rb"
        ) as f:
            pyproject = tomli.load(f)
-            return pyproject["tool"]["xapian"]["version"]
+            return (
+                pyproject["tool"]["xapian"]["version"],
+                pyproject["tool"]["xapian"]["core-sha256"],
+                pyproject["tool"]["xapian"]["bindings-sha256"],
+            )

    def handle(self, *args, force: bool, **options):
        if not os.environ.get("VIRTUAL_ENV", None):
@@ -53,7 +57,7 @@ class Command(BaseCommand):
            )
            return

-        desired = self._desired_version()
+        desired, core_checksum, bindings_checksum = self._desired_version()
        if desired == self._current_version():
            if not force:
                self.stdout.write(
@@ -65,7 +69,12 @@ class Command(BaseCommand):
            f"Installing xapian version {desired} at {os.environ['VIRTUAL_ENV']}"
        )
        subprocess.run(
-            [str(Path(__file__).parent / "install_xapian.sh"), desired],
+            [
+                str(Path(__file__).parent / "install_xapian.sh"),
+                desired,
+                core_checksum,
+                bindings_checksum,
+            ],
            env=dict(os.environ),
            check=True,
        )
--- a/core/management/commands/install_xapian.sh
+++ b/core/management/commands/install_xapian.sh
@@ -1,7 +1,11 @@
 #!/usr/bin/env bash
 # Originates from https://gist.github.com/jorgecarleitao/ab6246c86c936b9c55fd
 # first argument of the script is Xapian version (e.g. 1.2.19)
+# second argument of the script is core sha256
+# second argument of the script is binding sha256
 VERSION="$1"
+CORE_SHA256="$2"
+BINDINGS_SHA256="$3"

 # Cleanup env vars for auto discovery mechanism
 unset CPATH
@@ -21,9 +25,15 @@ BINDINGS=xapian-bindings-$VERSION

 # download
 echo "Downloading source..."
-curl -O "https://oligarchy.co.uk/xapian/$VERSION/${CORE}.tar.xz"
+curl -O "https://oligarchy.co.uk/xapian/$VERSION/${CORE}.tar.xz" || exit 1
+
+echo "${CORE_SHA256}  ${CORE}.tar.xz" | sha256sum -c - || exit 1
+
 curl -O "https://oligarchy.co.uk/xapian/$VERSION/${BINDINGS}.tar.xz"

+echo "${BINDINGS_SHA256}  ${BINDINGS}.tar.xz" | sha256sum -c - || exit 1
+
+
 # extract
 echo "Extracting source..."
 tar xf "${CORE}.tar.xz"