search

jorgebucaran / fisher

A plugin manager for Fish
https://git.io/fisher
MIT License
7.53k stars 257 forks source link

added --insecure flag to curl #735

Closed rolandweibel closed 1 year ago

rolandweibel commented 1 year ago

Added --insecure flag to curl to fix error when certificates were not trusted

jorgebucaran commented 1 year ago

@rolandweibel Why were certificates not trusted?

rolandweibel commented 1 year ago

I'm using a proxy server from work, and that contains an intermediate certificate in my chain that was not trusted.

jorgebucaran commented 1 year ago

Got it, thanks, and this flag basically tells curl to go ahead regardless.

I wonder if anyone more knowledgeable about curl could point out if there are any disadvantages to adding this. 🤓

waeltken commented 1 year ago

I don't think this would be a good default, maybe as an option? I would not want fisher to pull from servers without valid TLS certificates since there is no other signature or integrity check for the plugins.

jorgebucaran commented 1 year ago

Agreed, but Fisher won't pull from any servers other than GitHub or GitLab's, right?

2-4601 commented 1 year ago

With the --insecure flag curl cannot distinguish a real GitHub server from a fake one. I.e. without certificates a malicious actor can pretend to be GitHub and feed you a bad Fish theme that turns all your colors pink and cyan.

jorgebucaran commented 1 year ago

a malicious actor can pretend to be GitHub

How would that actually work? You can't feed URLs to Fisher. foo/bar means install from GitHub (by default) or from GitLab by using gitlab.com/ before the plugin name. 🤔

a bad Fish theme that turns all your colors pink and cyan.

So bad, indeed! 🙈

2-4601 commented 1 year ago

How would that actually work?

Let's say you don't want to work from home or office today. So you go outside to a park or a cafe. You pick a Wi-Fi network and start working. But before you start you must procrastinate a little bit and you decide to install the Fish logo. So you run fisher install laughedelic/fish_logo. When you run this, curl will ask "Who's github.com?". Let's assume that someone can send you a false reply or that the DNS server itself is poisoned or compromised and it sends you the wrong IP address. Now when curl establishes the connection to github.com with the --insecure flag, it will happily connect to the wrong IP without objections. And the fake GitHub can now serve curl anything it pleases. However, if curl is run without the --insecure flag, it will see that the fake GitHub's certificate is not trusted, refuses to continue and throws an error.

jorgebucaran commented 1 year ago

Thank you, @rolandweibel and @2-4601. Closing as wontfix.