search

ParisNeo / lollms-webui

Lord of Large Language Models Web User Interface
https://parisneo.github.io/lollms-webui/
Apache License 2.0
4.11k stars 522 forks source link

Insecure argument passed to cURL #493

Closed d-z-m closed 4 months ago

d-z-m commented 5 months ago

Expected Behavior

a secure download of the Miniconda install script

Current Behavior

install script is cURL'd with -k resulting in an insecure transfer and possible arbitrary code execution on my machine.

Steps to Reproduce

  1. run any of these without miniconda installed:

    • scripts/windows/win_install.bat
    • scripts/macos/macos_install.sh
    • scripts/linux/linux_install.sh

  2. pwned

Possible Solution

don't curl executable things insecurely

Context

Below is a copy of the text I had put in a security advisory on both this repository and oobabooga/text-generation-webui as of early December. The response from the maintainers has been radio silence, so I am publishing the text here so that people can know/protect themselves.

Security Advisory

Summary

An unsafe command line argument being passed to cURL allows the Miniconda installer download to be MITM'd.

This downloaded script is subsequently run, potentially resulting in arbitrary code execution on user machines.

Details

Here's an example from scripts/linux/linux_install.sh

  echo "Downloading Miniconda installer from $MINICONDA_DOWNLOAD_URL"
  curl -LOk "$MINICONDA_DOWNLOAD_URL"

It passes the -k argument to cURL.

cURL man page documentation for -k:

       -k, --insecure
              (TLS SFTP SCP) By default, every secure connection curl makes is
              verified to be secure before the transfer takes place. This
              option makes curl skip the verification step and proceed without
              checking.

              When this option is not used for protocols using TLS, curl
              verifies the server's TLS certificate before it continues: that
              the certificate contains the right name which matches the host
              name used in the URL and that the certificate has been signed by
              a CA certificate present in the cert store.  See this online
              resource for further details:
               https://curl.se/docs/sslcerts.html

              For SFTP and SCP, this option makes curl skip the known_hosts
              verification.  known_hosts is a file normally stored in the
              user's home directory in the ".ssh" subdirectory, which contains
              host names and their public keys.

              WARNING: using this option makes the transfer insecure.

The operative line is at the end:

WARNING: using this option makes the transfer insecure.

Impact

All users of the following installer scripts are affected:

ParisNeo commented 5 months ago

Hi. I have removed the k from all the curl calls

Thank you very much for bringing this forwards.