schneems
commented
8 years ago Good catch, can you send me a PR to change to HTTPS?
Closed TheNotary closed 7 years ago
schneems
commented
8 years ago Good catch, can you send me a PR to change to HTTPS?
TheNotary
commented
8 years ago If I supply the patch, I'd like it to be a through audit that includes SSL protocol and version checking to make sure downgrading can't take place. I'm terribly busy at the moment though and will need to invest a little time researching the tcpdump commands and what ever else is needed to get the confirmation I'm comfortable with.
In the mean time, if you want to just patch in an "s" into that protocol section of the URL, by all means you're welcome to the commit entry authorship for this find :) that more than likely will be enough to secure this vector up against most threats.
andrew
commented
7 years ago I think this can be closed now as https://github.com/heroku/heroku-buildpack-ruby/pull/486 has been merged
TheNotary
commented
7 years ago Indeed, I'll close this up. Thanks for getting this patched up as quickly as was done. 📆 🍰 :octocat:
I'm going through the build pack and noticed that a binary is fetched over http and then installed. This should probably be corrected just to make malicious code injections a more involved process.
https://github.com/heroku/heroku-buildpack-ruby/blob/master/lib/language_pack/helpers/node_installer.rb#L8
Edit: When I say code injection I mean malicious parties serving tampered binaries of course.