Pin and check hash for downloaded binaries

[imbev]

Check for existing issues

• Completed

Describe the feature

In order to provide support for language servers and various tools, Zed automatically downloads binaries from the internet without user approval. To mitigate some security risks, I suggest that Zed pin and check the hashes for all downloaded binaries.

zed::download_file could be changed to require a sha256 hash. Usage of zed::latest_github_release could be replaced by a function returning the binary release url for a given tag or release. The supermaven download could be removed or replaced by a verified mirror.

References:

• Zed downloads NodeJS binary and npm packages from Internet without user’s consent #12589

• zed/crates/supermaven_api/src/supermaven_api.rs

  Line 188 in de8ef08

  let uri = format!(

• zed/extensions/csharp/src/csharp.rs

  Line 28 in 79f3646

  let release = zed::latest_github_release(