laster 0.0.1

2026-05-25 15:49:42 +07:00
parent 14d3a3152a
commit e2c4881bb7
22 changed files with 1139 additions and 158 deletions
--- a/agent/app/core/downloader.py
+++ b/agent/app/core/downloader.py
@@ -33,6 +33,7 @@ class Downloader:
        self.repository.add_log(self.task_id, "info", f"Downloading {url}")
        with httpx.stream("GET", url, follow_redirects=True, timeout=120) as response:
            response.raise_for_status()
+            self._validate_response(url, response)
            with destination.open("wb") as handle:
                for chunk in response.iter_bytes():
                    handle.write(chunk)
@@ -40,3 +41,13 @@ class Downloader:
        self.repository.add_log(self.task_id, "info", f"Downloaded to {destination}")
        return destination

+    def _validate_response(self, requested_url: str, response: httpx.Response) -> None:
+        final_url = str(response.url)
+        validate_url_host(final_url, settings.allowed_download_hosts)
+
+        content_type = response.headers.get("content-type", "").split(";", 1)[0].strip().lower()
+        if content_type in {"text/html", "text/plain"}:
+            raise ValueError(
+                "download did not return a package file "
+                f"(requested {requested_url}, final {final_url}, content-type {content_type or 'unknown'})"
+            )
--- a/agent/app/core/task_runner.py
+++ b/agent/app/core/task_runner.py
@@ -6,7 +6,7 @@ import traceback
 from typing import Any

 from app.config import settings
-from app.core.checksum import verify_sha256
+from app.core.checksum import sha256_file
 from app.core.command_runner import CommandRunner
 from app.core.downloader import Downloader
 from app.core.installer import DebInstaller
@@ -197,8 +197,12 @@ class TaskRunner:

        package_path = downloader.download(component["downloadUrl"])
        self.repository.update_task_component(task_id, component_id, progress=35, current_step="verifying checksum")
-        if not verify_sha256(package_path, component["sha256"]):
-            raise ValueError(f"Checksum mismatch for {component_id}")
+        actual_sha256 = sha256_file(package_path)
+        expected_sha256 = component["sha256"].lower()
+        if actual_sha256.lower() != expected_sha256:
+            raise ValueError(
+                f"Checksum mismatch for {component_id}: expected {expected_sha256}, got {actual_sha256}"
+            )
        self.repository.add_log(task_id, "info", f"Checksum verified for {component_id}")

        self.repository.update_task_component(task_id, component_id, progress=60, current_step="installing package")
@@ -245,4 +249,3 @@ class TaskRunner:
        geteuid = getattr(os, "geteuid", None)
        if callable(geteuid) and geteuid() != 0:
            raise PermissionError("Agent must run as root to call apt and systemctl")
-