Describe the fix
apps/desktop/src/context/ExtensionContext.tsx:73 fetches the extension catalog from http://raw.githubusercontent.com/.... Plain HTTP allows a network attacker to inject arbitrary repository/data entries, which are then passed to install_extension and cloned.
Proposed fix:
- Force
https:// for any registryUrl value (reject on schema mismatch).
- Validate the response domain against an allowlist (e.g.,
raw.githubusercontent.com).
- Optionally sign the catalog JSON and verify in Rust before consuming it.
Context / Problem
Combined with the git_url issue on install, an HTTP MITM upgrades directly to RCE during extension installation. HTTPS is free and removes this class of attacks.
Trixty Version
v1.0.10
What operating system are you using?
Windows
Would you like to implement this fix yourself by sending a PR?
Maybe
Describe the fix
apps/desktop/src/context/ExtensionContext.tsx:73fetches the extension catalog fromhttp://raw.githubusercontent.com/.... Plain HTTP allows a network attacker to inject arbitraryrepository/dataentries, which are then passed toinstall_extensionand cloned.Proposed fix:
https://for anyregistryUrlvalue (reject on schema mismatch).raw.githubusercontent.com).Context / Problem
Combined with the
git_urlissue on install, an HTTP MITM upgrades directly to RCE during extension installation. HTTPS is free and removes this class of attacks.Trixty Version
v1.0.10
What operating system are you using?
Windows
Would you like to implement this fix yourself by sending a PR?
Maybe