From 97475e2c06e09bd7b235cebaadc164b998c448f9 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Thu, 13 Nov 2025 16:16:05 +1000
Subject: [PATCH] accept additional quick-jump hashes

Accept all known-good `quick-jump.min.js` and `quick-jump.css`
hashes.  This function also partitions the check by path: only the
js or css hash list is checked (whichever is relevant).

A modest refactor makes the code a bit easier to follow and makes it
easy to add hash checks for oher paths in the future, if needed.
---
 .../Server/Features/Documentation.hs          | 92 ++++++++++++++++---
 1 file changed, 78 insertions(+), 14 deletions(-)

diff --git a/src/Distribution/Server/Features/Documentation.hs b/src/Distribution/Server/Features/Documentation.hs
index 020b043d..30fc7bde 100644
--- a/src/Distribution/Server/Features/Documentation.hs
+++ b/src/Distribution/Server/Features/Documentation.hs
@@ -310,22 +310,25 @@ documentationFeature name
                 case dpath of
                   ("..","doc-index.json") : _ -> True
                   _ -> False
-              isQuickJump =
+              hashesToCheck =
                 case dpath of
-                  ("..","quick-jump.min.js") : _ -> True
-                  ("..","quick-jump.css") : _ -> True
-                  _ -> False
+                  ("..", "quick-jump.min.js") : _ -> Just quickJumpJsKnownGoodSha256
+                  ("..", "quick-jump.css")    : _ -> Just quickJumpCssKnownGoodSha256
+                  _                               -> Nothing
             if
-              | isDocIndex || mtime < UTCTime (fromGregorian 2025 2 1) 0 -> pure response
-              | isQuickJump ->
-                   if digest == "548d676b3e5a52cbfef06d7424ec065c1f34c230407f9f5dc002c27a9666bec4" -- quick-jump.min.js
-                   || digest == "6bd159f6d7b1cfef1bd190f1f5eadcd15d35c6c567330d7465c3c35d5195bc6f" -- quick-jump.css
-                     then pure response
-                     else
-                       -- Because Quick Jump also runs on the package page, and not just on the user content domain,
-                       -- we cannot accept arbitrary user-uploaded content.
-                       errForbidden "Quick Jump hash is not correct" [MText "Accepted Quick Jump hashes are listed in the hackage-server source code."]
-              | otherwise -> requireUserContent env response
+              | isDocIndex ->
+                  pure response
+              | Just hashes <- hashesToCheck ->
+                  -- Because Quick Jump also runs on the package page,
+                  -- and not just on the user content domain,
+                  -- we cannot accept arbitrary user-uploaded content.
+                  if digest `elem` hashes
+                    then pure response
+                    else errForbidden "Quick Jump hash is not correct" [MText "Accepted Quick Jump hashes are listed in the hackage-server source code."]
+              | mtime < UTCTime (fromGregorian 2025 2 1) 0 ->
+                  pure response
+              | otherwise ->
+                  requireUserContent env response
 
     rewriteDocs :: BSL.ByteString -> BSL.ByteString
     rewriteDocs dochtml = case BSL.breakFindAfter (BS.pack "<head>") dochtml of
@@ -520,3 +523,64 @@ mapParaM f = mapM (\x -> (,) x <$> f x)
 
 getFileAge :: FilePath -> IO NominalDiffTime
 getFileAge file = diffUTCTime <$> getCurrentTime <*> getModificationTime file
+
+quickJumpJsKnownGoodSha256 :: [String]
+quickJumpJsKnownGoodSha256 =
+  [
+    -- commit: e99aefb50ca63e2dbcc95841efbb53cea90151d8 (Sep 23 2017)
+    -- object: c9f2b445b9
+    "e1da96b0d7ab3d72cfe3786def923c5af91ba331858852f1f43a1acfc5ee6966"
+
+    -- commit: 8e88615a23a9f1980a55bd1b3ef9dcc938d95237 (Oct 10 2017)
+    -- object: cb24f8bdea
+  , "a273a3ef19c21032afc5f65d1e09933146f183da906ca9d0b4c285095539e0e7"
+
+    -- commit: b4982d87f41d9a4d3f6237bacfd819145723e35b (Oct 30 2017)
+    -- object: f22f8f2881
+  , "8aed621ac2b746751585cbe271631394cacc0e01cca4ef589e11b077b0acd291"
+
+    -- commit: 93c1e6eb9e829a66ff213ec076d529ab008880b3 (Dec 16 2017)
+    -- object: bfdf04a372
+  , "4b10c18a7ad35f032e8cdc0d263716a93878bf06d998b1b66dccff06ceeee89d"
+
+    -- commit: 59812a09eb69cbf12407206381f4c214987b1efd (Apr 3 2018)
+    -- object: c03e083607
+  , "ce86bba43edb0534c0faa2d6d0f504877576c5271321e3fbd9638fd4667384a2"
+
+    -- commit: a69311708493efe8524aed0e9d19365f79f2fab3 (Oct 24 2018)
+    -- object: 06c35c7454
+  , "548d676b3e5a52cbfef06d7424ec065c1f34c230407f9f5dc002c27a9666bec4"
+
+    -- commit: 7776566531e72c415f66dd3b13da9041c52076aa (Nov 13 2019)
+    -- object: 0b0eeb27d1
+  , "7ca43fc2058574846e032bc5493a0ad4568e4fa14fb58558fbf48d3bd6693e59"
+  ]
+
+
+quickJumpCssKnownGoodSha256 :: [String]
+quickJumpCssKnownGoodSha256 =
+  [
+    -- commit: d41abb0f606bf5fdbdc0a7bd3758e0c30601b121 (Sep 23 2017)
+    -- object: b69903c3
+    "f95b8b12a8a13dd31add93527e1239fdff6997c7f2396e975e2e415db04b75fb"
+
+    -- commit: 0997eb61803a37803ddb6cf7116eb9db1046b2ce (Oct 10 2017)
+    -- object: ede05042
+  , "59693ef3f0d793031b3af58b214af7884c0f63ce6db659ffd7432cf0aa852b51"
+
+    -- commit: fc069bf200f930c21f96ddbbec1d7c5c69f8ba72 (Jan 15 2018)
+    -- object: 468d8036
+  , "1d51573b72bc8a7b9b0dda3beffb7882db78d22a37840203f761e3969d915027"
+
+    -- commit: fa5ec121e2a700137bab8bd48cc30b1e80f58fd4 (Feb 27 2019)
+    -- object: 8772809c
+  , "29fe483bd37ad3feba12f646e9661731127526f246c246b0011b384e11649dff"
+
+    -- commit: 05ccce6e07731f9788a434d6e06f4cadeff3d6ba (Dec 8 2020)
+    -- object: d656f51c
+  , "6997c223e09b340f5f1bb970c930b458f768a0bbbe787cb87f181820a3d122b3"
+
+    -- commit: 9511e587701349093cbe3ac7c00f13583820774f (Feb 7 2021)
+    -- object: cf10eee4
+  , "6bd159f6d7b1cfef1bd190f1f5eadcd15d35c6c567330d7465c3c35d5195bc6f"
+  ]