This repository was archived by the owner on Jun 1, 2022. It is now read-only.
This repository was archived by the owner on Jun 1, 2022. It is now read-only.
https://github.com/hyperledger/quilt/blob/master/.circleci/config.yml downloads zip file via HTTP to unsafe location and then unpacks it unsafely #473
Open
Description
A man in the middle attacker can potentially replace the zip file downloaded in https://github.com/hyperledger/quilt/blob/master/.circleci/config.yml as it traverses the network since a HTTP link is used:
curl -L --cookie 'oraclelicense=accept-securebackup-cookie;' http://download.oracle.com/otn-pub/java/jce/8/jce_policy-8.zip -o /tmp/jce_policy.zip
unzip -o /tmp/jce_policy.zip -d /tmp
sudo mv -f /tmp/UnlimitedJCEPolicyJDK8/US_export_policy.jar $JAVA_HOME/jre/lib/security/US_export_policy.jar
sudo mv -f /tmp/UnlimitedJCEPolicyJDK8/local_policy.jar $JAVA_HOME/jre/lib/security/local_policy.jar
additionally a local attacker can predict where the file will be written and potentially modify it /tmp/jce_policy.zip.
Suggestions:
- use https://
- use mktemp to write to a secure file in /tmp
- use mktemp -d to make a secure directory to unpack the files into prior to copying
Metadata
Metadata
Assignees
Labels
No labels