matomo-org / matomo

Empowering People Ethically with the leading open source alternative to Google Analytics that gives you full control over your data. Matomo lets you easily collect data from websites & apps and visualise this data and extract insights. Privacy is built-in. Liberating Web Analytics. Star us on Github? +1. And we love Pull Requests!
https://matomo.org/
GNU General Public License v3.0
19.94k stars 2.66k forks source link

Add code signing to the Piwik Plugin upgrade process #11909

Open software-opal opened 7 years ago

software-opal commented 7 years ago

Recently I have been looking into the security implications of automatically upgrading Piwik and whilst the Piwik Core is verified using a GPG key, the plugins get no such verification. As a result, an malicious party gaining access to the plugin server could replace latest plugin versions with malicious version with no verification.

The inclusions of libsodium in PHP 7.2 makes this easier. And there are pure-PHP libraries that are supported back to PHP 5. A similar issue was raised for WordPress, however it was postponed due to other priorities.

My understanding is that Piwik already implements auto-updates for it's plugins and as such any attack on the Piwik plugin infrastructure could potentially expose a large number of systems to malicious code.

There is a respectable guide(also linked in that WordPress issue) here on implementing upgrades for PHP.

mattab commented 7 years ago

Thanks for the suggestion. Yes, it would be great to implement the code signing verification mechanism when downloading plugins from the Marketplace. And we also should implement this code signing mechanism when downloading the Piwik core platform via the auto-update mechanism.

Note: currently, the code signing is not checked, we only download the upgrade over HTTPS. Code signing procedure has to be done manually by the users who know about it. We would like to implement this as part of https://github.com/piwik/piwik/issues/7328 We also should surface the manual code signing instructions better, see https://github.com/piwik/piwik/issues/10687