plugin-getter: reject plugin version mismatches

When a plugin is loaded from Packer, we now check that the version it reports matches what the name implies. In case there's a mismatch, we log, and reject the binary.
2 years ago · 492cb72000
parent fd5f668ee9
commit 492cb72000
1 changed files with 17 additions and 0 deletions
--- a/packer/plugin-getter/plugins.go
+++ b/packer/plugin-getter/plugins.go
@ -137,6 +137,18 @@ func (pr Requirement) ListInstallations(opts ListInstallationsOptions) (InstallL
 			}
 		}

+		descOut, err := exec.Command(path, "describe").Output()
+		if err != nil {
+			log.Printf("couldn't call describe on %q, ignoring", path)
+			continue
+		}
+
+		var describeInfo pluginsdk.SetDescription
+		err = json.Unmarshal(descOut, &describeInfo)
+		if err != nil {
+			log.Printf("%q: describe output deserialization error %q, ignoring", path, err)
+		}
+
 		// versionsStr now looks like v1.2.3_x5.1 or amazon_v1.2.3_x5.1
 		parts := strings.SplitN(versionsStr, "_", 2)
 		pluginVersionStr, protocolVerionStr := parts[0], parts[1]
@ -147,6 +159,11 @@ func (pr Requirement) ListInstallations(opts ListInstallationsOptions) (InstallL
 			continue
 		}

+		if strings.Replace(pluginVersionStr, "v", "", -1) != describeInfo.Version {
+			log.Printf("plugin %q reported version %s while its name implies version %s, ignoring", path, describeInfo.Version, pluginVersionStr)
+			continue
+		}
+
 		// no constraint means always pass, this will happen for implicit
 		// plugin requirements and when we list all plugins.
 		if !pr.VersionConstraints.Check(pv) {