Dependency download using unencrypted communication channel¶
ID: rb/insecure-dependencyKind: problemSecurity severity: 8.1Severity: warningPrecision: highTags: - security - external/cwe/cwe-300 - external/cwe/cwe-319 - external/cwe/cwe-494 - external/cwe/cwe-829Query suites: - ruby-code-scanning.qls - ruby-security-extended.qls - ruby-security-and-quality.qls
Click to see the query in the CodeQL repository
Using an insecure protocol like HTTP or FTP to download dependencies makes the build process vulnerable to a man-in-the-middle (MITM) attack.
This can allow attackers to inject malicious code into the downloaded dependencies, and thereby infect the build artifacts and execute arbitrary code on the machine building the artifacts.
Recommendation¶
Always use a secure protocol, such as HTTPS or SFTP, when downloading artifacts from a URL.
Example¶
The below example shows aGemfile that specifies a gem source using the insecure HTTP protocol.
source"http://rubygems.org"gem"my-gem-a","1.2.3"
The fix is to change the protocol to HTTPS.
source"https://rubygems.org"gem"my-gem-a","1.2.3"
References¶
Jonathan Leitschuh: Want to take over the Java ecosystem? All you need is a MITM!
Max Veytsman: How to take over the computer of any Java (or Clojure or Scala) Developer.
Wikipedia:Supply chain attack.
Wikipedia:Man-in-the-middle attack.
Common Weakness Enumeration:CWE-300.
Common Weakness Enumeration:CWE-319.
Common Weakness Enumeration:CWE-494.
Common Weakness Enumeration:CWE-829.