From 5e062b5e9a00e0671e61ef1abe5c9135b9dd8cf1 Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Mon, 1 Jun 2026 10:13:20 -0700
Subject: [PATCH] Harden coverity tool download: curl + gzip sanity check

---
 .github/workflows/coverity-scan-fixes.yml | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/coverity-scan-fixes.yml b/.github/workflows/coverity-scan-fixes.yml
index 804baa10..801a0621 100644
--- a/.github/workflows/coverity-scan-fixes.yml
+++ b/.github/workflows/coverity-scan-fixes.yml
@@ -63,10 +63,17 @@ jobs:
       env:
         TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN_WOLFTPM }}
       run: |
-        curl https://scan.coverity.com/download/cxx/linux64 \
-          --no-progress-meter \
+        curl -L --fail --no-progress-meter \
           --output cov-analysis.tar.gz \
-          --data "token=${TOKEN}&project=wolfTPM"
+          --data-urlencode "token=${TOKEN}" \
+          --data-urlencode "project=wolfTPM" \
+          https://scan.coverity.com/download/cxx/linux64
+        file cov-analysis.tar.gz
+        if ! gzip -t cov-analysis.tar.gz 2>/dev/null; then
+          echo "Downloaded file is not gzip — server response:"
+          head -c 2000 cov-analysis.tar.gz
+          exit 1
+        fi
         mkdir -p cov-analysis
         tar -xzf cov-analysis.tar.gz --strip 1 -C cov-analysis