Insecure sources retrieval

[ghost]

Hello,

There is no file integrity check and no HTTPS while downloading these files:

• https://github.com/dougbtv/docker-asterisk/blob/master/asterisk/13/Dockerfile#L11
• https://github.com/dougbtv/docker-asterisk/blob/master/asterisk/13/Dockerfile#L27

An attacker can easily inject malicious code to backdoor the software or take the control of the Docker container.

To solve this issue, hash of downloaded files should be checked or downloaded over HTTPS or both.

About Asterisk binary: I have found https://downloads.asterisk.org/code/browse/asterisk over HTTPS but there is no option to download the repository over HTTPS. Their git clone git://git.asterisk.org/asterisk/asterisk.git is insecure as it use git:// so it provides no authentication / encryption.

[dougbtv]

Alright, I have checks in which look at the md5 signatures, however both are over HTTP. Which is what I have within my locus of control. The gist is that I look at the md5 signatures, and if they mismatch it the commands exit non-zero which will stop the docker build, which should be a hint.

Thanks for the details, and the mind towards security when looking at this, I appreciate it.

I realize that HTTPS would be more ideal, however, there are not official releases for these products over HTTPS (that I can find.) -- I would gladly appreciate if you could open issues with the providers of these software packages to address this, and I will happily integrate.

Specifically I want this project to use the certified asterisk branches (11 & 13 for now, the LTS releases), as that is the product that Digium officially supports (e.g. if you were to buy support or get consulting from Digium, the first thing they will have you do is update to the latest certified). If I have missed a method of downloading these tarballs, let me know and I will update them.

[dougbtv]

I think I have a path forward @pwnsdx -- looks like there's a way to git clone the source over https!

Discovered from: https://wiki.asterisk.org/wiki/display/AST/Gerrit+Usage

In short, I can do something along the lines of:

git clone --depth 1 https://gerrit.asterisk.org/asterisk

I just need a way to figure out which branch to use... On my scratch pad I have...

git ls-remote --heads https://gerrit.asterisk.org/asterisk
git ls-remote --heads https://gerrit.asterisk.org/asterisk | grep -i "certified/11.6"
git clone -b certified/11.6 --depth 1 https://gerrit.asterisk.org/asterisk

Pretty sure this is going to be the ticket.

Any commentary herein? Happy to discuss for sure, this has been on my mind (but I've been on vacation, so it hasn't been on my mind too much, tbh!)

[dougbtv]

Just an update here that this is still on my "notepad" if-you-will, haven't implemented it yet, but, before I do if you have any commentary, I'm more than willing to listen for advice. Thanks, -Doug

[ghost]

Hey, this sounds to be the best way to get the sources! :)

S.

[dougbtv]

Alright, finally got the git method of retrieval in there in #49. Thanks again for the heads up on this one, it's a nice improvement and I appreciate the feedback and suggestions for sure.