Save a hash of the hls.min.js release (#3464)

bouk · web-flow · commit dfa2e81e6131 · 2024-06-17T23:15:18.000+02:00
This ensures the downloaded hls.js matches exactly and removes a dependency on cdn.jsdelivr.net
diff --git a/.github/workflows/bump_hls_js.yml b/.github/workflows/bump_hls_js.yml
@@ -19,10 +19,13 @@ jobs:
         && git config user.email bot@mediamtx
         && ((git checkout deps/hlsjs && git rebase ${GITHUB_REF_NAME}) || git checkout -b deps/hlsjs)
 
-    - run: >
+    - run: |
+        set -e
         VERSION=$(curl -s https://api.github.com/repos/video-dev/hls.js/releases?per_page=1 | grep tag_name | sed 's/\s\+"tag_name": "\(.\+\)",/\1/')
-        && echo $VERSION > internal/servers/hls/hlsjsdownloader/VERSION
-        && echo VERSION=$VERSION >> $GITHUB_ENV
+        HASH=$(curl -sL https://github.com/video-dev/hls.js/releases/download/$VERSION/release.zip -o- | sha256sum | cut -f1 -d ' ')
+        echo $VERSION > internal/servers/hls/hlsjsdownloader/VERSION
+        echo $HASH > internal/servers/hls/hlsjsdownloader/HASH
+        echo VERSION=$VERSION >> $GITHUB_ENV
 
     - id: check_repo
       run: >
diff --git a/internal/servers/hls/hlsjsdownloader/HASH b/internal/servers/hls/hlsjsdownloader/HASH
@@ -0,0 +1 @@
+869ea17a6ddb2cf483ca8c692fc6c7ba80de0882105ba300027af2edaed1b902
diff --git a/internal/servers/hls/hlsjsdownloader/main.go b/internal/servers/hls/hlsjsdownloader/main.go
@@ -2,24 +2,30 @@
 package main
 
 import (
+	"archive/zip"
+	"bytes"
+	"crypto/sha256"
+	"encoding/hex"
 	"fmt"
 	"io"
+	"io/fs"
 	"log"
 	"net/http"
 	"os"
 	"strings"
 )
 
 func do() error {
-	log.Println("downloading hls.js...")
-
 	buf, err := os.ReadFile("./hlsjsdownloader/VERSION")
 	if err != nil {
 		return err
 	}
+
 	version := strings.TrimSpace(string(buf))
 
-	res, err := http.Get("https://cdn.jsdelivr.net/npm/hls.js@" + version + "/dist/hls.min.js")
+	log.Printf("downloading hls.js version %s...", version)
+
+	res, err := http.Get("https://github.com/video-dev/hls.js/releases/download/" + version + "/release.zip")
 	if err != nil {
 		return err
 	}
@@ -29,15 +35,38 @@ func do() error {
 		return fmt.Errorf("bad status code: %v", res.StatusCode)
 	}
 
-	buf, err = io.ReadAll(res.Body)
+	zipBuf, err := io.ReadAll(res.Body)
 	if err != nil {
 		return err
 	}
 
-	err = os.WriteFile("hls.min.js", buf, 0o644)
+	hashBuf, err := os.ReadFile("./hlsjsdownloader/HASH")
 	if err != nil {
 		return err
 	}
+	hash := make([]byte, hex.DecodedLen(len(hashBuf)))
+
+	if _, err = hex.Decode(hash, bytes.TrimSpace(hashBuf)); err != nil {
+		return err
+	}
+
+	if sum := sha256.Sum256(zipBuf); !bytes.Equal(sum[:], hash) {
+		return fmt.Errorf("hash mismatch")
+	}
+
+	z, err := zip.NewReader(bytes.NewReader(zipBuf), int64(len(zipBuf)))
+	if err != nil {
+		return err
+	}
+
+	hls, err := fs.ReadFile(z, "dist/hls.min.js")
+	if err != nil {
+		return err
+	}
+
+	if err = os.WriteFile("hls.min.js", hls, 0o644); err != nil {
+		return err
+	}
 
 	log.Println("ok")
 	return nil

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+869ea17a6ddb2cf483ca8c692fc6c7ba80de0882105ba300027af2edaed1b902`