Closed dglinder closed 5 years ago
The URL also works as "https://www.mls-software.com/files/setupssh-7.1p1-1.exe" so this would reduce potential for man-in-the-middle attacks compromising the build.
I am kind of shocked to see that this is even a thing thoughout multiple points of the scripts. This is a high security risk. Searching for 'http:' shows some more results:
https://github.com/joefitzgerald/packer-windows/blob/c4a111f4f95d311f37ec0f2ae545ffa5407597cb/scripts/compact.bat#L2
https://github.com/joefitzgerald/packer-windows/blob/c4a111f4f95d311f37ec0f2ae545ffa5407597cb/scripts/compact.bat#L7
https://github.com/joefitzgerald/packer-windows/blob/c4a111f4f95d311f37ec0f2ae545ffa5407597cb/scripts/puppet-enterprise.bat#L2
https://github.com/joefitzgerald/packer-windows/blob/c4a111f4f95d311f37ec0f2ae545ffa5407597cb/scripts/puppet.bat#L2
https://github.com/joefitzgerald/packer-windows/blob/c4a111f4f95d311f37ec0f2ae545ffa5407597cb/scripts/rsync.bat#L3
https://github.com/joefitzgerald/packer-windows/blob/c4a111f4f95d311f37ec0f2ae545ffa5407597cb/scripts/rsync.bat#L8
https://github.com/joefitzgerald/packer-windows/blob/c4a111f4f95d311f37ec0f2ae545ffa5407597cb/scripts/vm-guest-tools.bat#L2
https://github.com/joefitzgerald/packer-windows/blob/c4a111f4f95d311f37ec0f2ae545ffa5407597cb/scripts/vm-guest-tools.bat#L18
https://github.com/joefitzgerald/packer-windows/blob/c4a111f4f95d311f37ec0f2ae545ffa5407597cb/scripts/chef.bat#L2
https://github.com/joefitzgerald/packer-windows/blob/c4a111f4f95d311f37ec0f2ae545ffa5407597cb/scripts/openssh.ps1#L9
This is not good!
The URL also works as "https://www.mls-software.com/files/setupssh-7.1p1-1.exe" so this would reduce potential for man-in-the-middle attacks compromising the build.