Lack of integrity verification of downloaded external dependencies

ashfurrow / danger-ruby-swiftlint

A Danger plugin for SwiftLint.

https://rubygems.org/gems/danger-swiftlint

MIT License

203 stars 80 forks source link

Lack of integrity verification of downloaded external dependencies #162

Closed mensfeld closed 3 years ago

mensfeld commented 3 years ago

Hey,

My name is Maciej Mensfeld and I run a research security project called diffend.io.

I've noticed, that this library downloads some external resources and uses them. While it's a totally common pattern, what is lacking here is integrity verification.

You could verify the integrity of the downloaded file before using it by comparing the file hash to a hardcoded, expected file hash.

This is essentially what package managers do to verify the integrity of downloaded packages.

Doing this would prevent attack scenarios in which SwiftLint is manipulated.

Have a great day :)

ashfurrow commented 3 years ago

Hi Maciej 👋 You are correct that we download resources from GitHub to execute:

https://github.com/ashfurrow/danger-ruby-swiftlint/blob/77360835f4a6d5bb87678ee5865a0c0255a1361a/ext/swiftlint/Rakefile#L10-L22

And you are correct that we could hardcode and md5 hash (for example) into our codebase to verify the integrity of SwiftLint. We haven't done so because it hasn't been a priority; we rely on HTTPS to provide reasonable-ish security. For a tool that runs on CI servers, this has been sufficient.

That said, it would not be difficult to add an integrity check (and corresponding unit test). I'm going to leave this issue open in case anyone would like to add this.

mensfeld commented 3 years ago

Thank you. Much appreciated.