Presumably man-in-the-middle security issue #1
Comments
|
Mind that that I haven't tested if the older version compiles well. |
|
By the way. After the code review the new version could be uploaded here on GitHub then the installation script could download from git://git.jetbrains.org Then test against the uploaded on GitHub. Then install the downloaded version from git://git.jetbrains.org This way for users of the script it would be transparent that there are no security issues. And they would rely on your uploaded code only as a check measure. |
|
Or maybe the fresh code of the android plugin ca be found somewhere like here: |
|
Hello, Thanks for creating this issue. I did not know using As you have mentioned, the accessing via cli to https://git.jetbrains.org/ does not seems to work, so I guess I will change to clone the android plugin repo from Github using
I'm not sure if I understand this correctly, are you saying I should compare the cloned repo from git://git.jetbrains.org against their version on Github(https://github.com/JetBrains/android.git)? Would it be better if I clone the android repo directly from Github since the main PyCharm source code is from the tagged version on Github anyway? |
The GitHub repo contains only outdated version of the android module with PyCharm tag (211.7442.13). At least I wasn't able to find a fresher version there. But may be I wasn't thorough enough and you would would be able find a fresher one.
I proposed a rather brute way to verify download of the never bersion via git://git.jetbrains.org/ |
|
git.jetbrains.org can be accesses via web interface via https (https://git.jetbrains.org/). So theoretically there should be a way to download files manually from there. But in order to cut manual labor it would be useful to find changed files first -- hence checking diff between 211.7442.13 (from secure https://github.com/JetBrains/android.git) and 213.7172.26 (from unsecure git://git.jetbrains.org/idea/android.git). |
|
Or may be you could just download insecurely 213.7172.26 from git://git.jetbrains.org/idea/android.git. Pray that you were lucky and there were no middle-man. Upload the source to GitHub. Then you can use it to check unsecurely downloaded code in the bash script (it's still better for users to download from git://git.jetbrains.org/idea/android.git and then check against you secure version than to only use your version). |
|
But I'd rather avoid this "I am lucky" approach. The script can already be modified to securely compile old 211.7442.13 version though (see my first comment). But first it should be checked that it compiles well. |
|
I think I get what you mean now. Sorry for a bit delayed response, I'm pretty busy with school as exam season arrives. I will figure out a way when I have time. Thanks |
|
I have implemented a way to mitigate the security issue caused by the insecure git protocol. There is a script in the repo generates the hash value of the android plugin source code and it does it 3 times and store it. The build script then checks the value and build the software. This allows user of the script to reproduce the exact hash I have generated via running the hash generation script. |
The script uses
git://protocol that is insecure (source 1, source 2):git clone --depth 1 --branch pycharm/$pycharm_version git://git.jetbrains.org/idea/android.gitThe fast solution is to change script to:
pycharm_version=211.7442.13 ... git clone --depth 1 --branch pycharm/$pycharm_version https://github.com/JetBrains/android.gitBut the right solution would be to actually do:
pycharm_version=213.7172.26 ... git clone --depth 1 --branch pycharm/$pycharm_version git://git.jetbrains.org/idea/android.gitbut then make a code review: via diff find files in which there are differences between 211.7442.13 and 213.7172.26 Then somehow download these files from https://git.jetbrains.org/ (via https). This would be much easier if there would be a way to securely access git.jetbrains.org via git not just browser. Unfortunately I haven't found an easy way on the spur of the moment.
The text was updated successfully, but these errors were encountered: