From dfd7ebdc73204bd524b602edd2c9d5115aa91947 Mon Sep 17 00:00:00 2001
From: Zhenxu Ke <kezhenxu94@apache.org>
Date: Mon, 26 Apr 2021 22:27:56 +0800
Subject: [PATCH] Add shasum verification to Codecov Bash Uploader (#6843)

According to https://about.codecov.io/security-update/
---
 tools/coverage/report.sh | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/tools/coverage/report.sh b/tools/coverage/report.sh
index ce42944d91..fe4c5aecd1 100755
--- a/tools/coverage/report.sh
+++ b/tools/coverage/report.sh
@@ -41,4 +41,13 @@ for exec_data in "${JACOCO_HOME}"/*.exec; do
     "${JACOCO_HOME}"/"$exec_data".exec
 done
 
-bash <(curl -s https://codecov.io/bash) -X fix -f /tmp/report-*.xml || true
+# Download codecov bash uploader and verify the sha sums before using it.
+curl -s https://codecov.io/bash > codecov
+VERSION=$(grep -o 'VERSION=\"[0-9\.]*\"' codecov | cut -d'"' -f2)
+for i in 1 256 512
+do
+  shasum -a $i -c --ignore-missing <(curl -s "https://raw.githubusercontent.com/codecov/codecov-bash/${VERSION}/SHA${i}SUM") ||
+  shasum -a $i -c <(curl -s "https://raw.githubusercontent.com/codecov/codecov-bash/${VERSION}/SHA${i}SUM")
+done
+
+bash codecov -X fix -f /tmp/report-*.xml || true
-- 
GitLab