From 55be2f410a0ecf86c7fb23b55ee2cc84f25dc2ab Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Steven!=20Ragnaro=CC=88k?= <steven@nuclearsandwich.com>
Date: Mon, 3 May 2021 15:28:25 -0700
Subject: [PATCH] Validate codecov uploader before executing.

After the recent Codecov security incident[1] I've been reviewing
codecov usage across ROS repositories.

This script is fetching the codecov bash uploader and env scripts
without performing the recommended validation step.

The validation step does not appear to have been widely explained or
publicised and even the official codecov GitHub action was not
validating the script until the recent security incident.

I have made an attempt to validate the bash uploader here.
The environment script is also used but early enough in the process that
it wasn't convenient to validate with my lack of familiarity in the
travis scripting style.

If there's interest I can probably refactor this to fetch and validate
both scripts during the setup phase instead of trying to do the bash
uploader inline. However I wanted to start with a minimal change.

[1]: https://about.codecov.io/security-update/
---
 travis.sh | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/travis.sh b/travis.sh
index b61b4d50..a6f1ddd1 100755
--- a/travis.sh
+++ b/travis.sh
@@ -411,8 +411,12 @@ for t in $(unify_list " ,;" "$TEST") ; do
          travis_run "lcov --remove coverage.info '*/test/*' --output-file coverage.info | grep -ve '^Removing'"
          # Output coverage data for debugging
          travis_run "lcov --list coverage.info"
+         # Download and validate codecov bash uploader script
+         travis_run --title "Download codecov uploader" "curl -s 'https://codecov.io/bash' > codecov"
+         local codecov_version="$(grep -o 'VERSION=\"[0-9\.]*\"' codecov | cut -d'"' -f2);"
+         travis_run --title "Validate codecov uploader" shasum -a 512 -c <(curl -s "https://raw.githubusercontent.com/codecov/codecov-bash/${codecov_version}/SHA512SUM" | grep -w codecov)
          # Upload to codecov.io: -f specifies file(s) to upload and disables manual coverage gathering
-         travis_run --title "Upload report" bash <(curl -s https://codecov.io/bash) -f coverage.info -R $ROS_WS/src/$REPOSITORY_NAME
+         travis_run --title "Upload report" bash codecov -f coverage.info -R $ROS_WS/src/$REPOSITORY_NAME
          travis_fold end codecov.io
          ;;
    esac