Check security hash before accepting downloaded files.

Fixes #7 in the simplest possible way. The current code will ignore any files with a different security hash from the one given by the developer. When ignoring, it emits a message warning of a potentially malicious content. It will also always emit a message when a downloaded file passes the security hash check.
2016-10-22 03:01:07 -02:00 · 2016-10-22 03:01:07 -02:00 · daee3bf493
commit daee3bf493
parent 2e7694b89d
2 changed files with 47 additions and 39 deletions
--- a/cachep2p.min.js
+++ b/cachep2p.min.js
--- a/index.js
+++ b/index.js
@ -129,8 +129,15 @@ function CacheP2P(opts, callback){
        // debug(b)
        // debug(b.toString('utf8'))
        var got_page = JSON.parse(b.toString('utf8'))
-        // self.emit('message', "Got cached version of "+got_page.url+" from web peer, modifying link to point to cache.")
+        // self.emit('message', "Got cached version of "+got_page.url+" from web peer, checking security hash.")

+        sha(got_page.page, function (page_hash) {
+          if (page_hash != self.security_sha1[got_page.url]) {
+            self.emit('message', 'Cached version of ' + got_page.url + ' has wrong security hash. This is possibly malicious content! Ignoring the version obtained.');
+            return;
+          }
+
+          self.emit('message', 'Cached version of ' + got_page.url + ' has a verified security hash! Proceeding by changing links in page.');
          cached_link_lists[got_page.url] = got_page
          self.update_links()

@ -157,6 +164,7 @@ function CacheP2P(opts, callback){
              }
            }
          }
+        });
      })
    })
  }