Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure plugins authenticate downloaded files #158

Closed
ypid opened this issue Feb 12, 2017 · 7 comments
Closed

Ensure plugins authenticate downloaded files #158

ypid opened this issue Feb 12, 2017 · 7 comments

Comments

@ypid
Copy link
Contributor

ypid commented Feb 12, 2017

A few plugins seem to be maintained as part of asdf-vm. Please ensure that those plugins properly authenticate downloaded files.
@ypid ypid mentioned this issue Feb 12, 2017
Closed
ypid added a commit to ypid/asdf-nodejs that referenced this issue Feb 12, 2017
@ypid
Support to signatures/checksums to ensure authenticity
b916b22 
Please refer to [Verifying Node.js Binaries](https://blog.continuation.io/verifying-node-js-binaries/) for why this is important.

Related to: asdf-vm/asdf#158
Mitigates: nodejs/node#9859
Mitigates: nodejs/node#6821

Implementing this feature required some rework of the `install` script
which is included in this PR. The following other PR are
superseded/included in this one:

Closes: asdf-vm#15
Closes: asdf-vm#16
Closes: asdf-vm#19

Also note that this PR also updates the base download URL from "http://nodejs.org/dist" to "https://nodejs.org/dist" meaning that before this PR (or asdf-vm#16 which is not merged), binaries where downloaded over plain legacy HTTP! (those binaries where later executed by the user). This is really bad and is fairly easy to exploit!

Related to: nvm-sh/nvm#736
Related to: nvm-sh/nvm#793
ypid added a commit to ypid/asdf-nodejs that referenced this issue Feb 12, 2017
@ypid
Check signatures/checksums to ensure authenticity
e89f1a4 
Please refer to [Verifying Node.js Binaries](https://blog.continuation.io/verifying-node-js-binaries/) for why this is important.

Related to: asdf-vm/asdf#158
Mitigates: nodejs/node#9859
Mitigates: nodejs/node#6821

Implementing this feature required some rework of the `install` script
which is included in this PR. The following other PR are
superseded/included in this one:

Closes: asdf-vm#15
Closes: asdf-vm#16
Closes: asdf-vm#19

Also note that this PR also updates the base download URL from "http://nodejs.org/dist" to "https://nodejs.org/dist" meaning that before this PR (or asdf-vm#16 which is not merged), binaries where downloaded over plain legacy HTTP! (those binaries where later executed by the user). This is really bad and is fairly easy to exploit!

Related to: nvm-sh/nvm#736
Related to: nvm-sh/nvm#793
ypid added a commit to ypid/asdf-nodejs that referenced this issue Feb 12, 2017
@ypid
Check signatures/checksums to ensure authenticity
f613014 
Please refer to [Verifying Node.js Binaries](https://blog.continuation.io/verifying-node-js-binaries/)
for why this is important.

Related to: asdf-vm/asdf#158
Mitigates: nodejs/node#9859
Mitigates: nodejs/node#6821

Implementing this feature required some rework of the `install` script
which is included in this PR. The following other PR are
superseded/included in this one:

Closes: asdf-vm#15
Closes: asdf-vm#16
Closes: asdf-vm#19

Also note that this PR also updates the base download URL from
"http://nodejs.org/dist" to "https://nodejs.org/dist" meaning that
before this PR (or asdf-vm#16 which is not merged), binaries where downloaded
over plain legacy HTTP! (those binaries where later executed by the
user). This is really bad and is fairly easy to exploit!

Related to: nvm-sh/nvm#736
Related to: nvm-sh/nvm#793
ypid added a commit to ypid/asdf-nodejs that referenced this issue Feb 12, 2017
@ypid
Check signatures/checksums to ensure authenticity
fbb8fd6 
Please refer to [Verifying Node.js Binaries](https://blog.continuation.io/verifying-node-js-binaries/)
for why this is important.

Related to: asdf-vm/asdf#158
Mitigates: nodejs/node#9859
Mitigates: nodejs/node#6821

Implementing this feature required some rework of the `install` script
which is included in this PR. The following other PR are
superseded/included in this one:

Closes: asdf-vm#15
Closes: asdf-vm#16
Closes: asdf-vm#19

Note that this PR also updates the base download URL from
"http://nodejs.org/dist" to "https://nodejs.org/dist" meaning that
before this PR (or asdf-vm#16 which is not merged), binaries where downloaded
over plain legacy HTTP! (those binaries where later executed by the
user). This is really bad and is fairly easy to exploit!

Related to: nvm-sh/nvm#736
Related to: nvm-sh/nvm#793
@ypid ypid mentioned this issue Feb 12, 2017
Merged
ypid added a commit to ypid/asdf-nodejs that referenced this issue Feb 12, 2017
@ypid
Check signatures/checksums to ensure authenticity
8f834c1 
Please refer to [Verifying Node.js Binaries](https://blog.continuation.io/verifying-node-js-binaries/)
for why this is important.

Related to: asdf-vm/asdf#158
Mitigates: nodejs/node#9859
Mitigates: nodejs/node#6821

Implementing this feature required some rework of the `install` script
which is included in this PR. The following other PR are
superseded/included in this one:

Closes: asdf-vm#15
Closes: asdf-vm#16
Closes: asdf-vm#19

Note that this PR also updates the base download URL from
"http://nodejs.org/dist" to "https://nodejs.org/dist" meaning that
before this PR (or asdf-vm#16 which is not merged), binaries where downloaded
over plain legacy HTTP! (those binaries where later executed by the
user). This is really bad and is fairly easy to exploit!

Related to: nvm-sh/nvm#736
Related to: nvm-sh/nvm#793
ypid added a commit to ypid/asdf-nodejs that referenced this issue Feb 12, 2017
@ypid
Check signatures/checksums to ensure authenticity
2e79e06 
Please refer to [Verifying Node.js Binaries](https://blog.continuation.io/verifying-node-js-binaries/)
for why this is important.

Related to: asdf-vm/asdf#158
Mitigates: nodejs/node#9859
Mitigates: nodejs/node#6821

Implementing this feature required some rework of the `install` script
which is included in this PR. The following other PR are
superseded/included in this one:

Closes: asdf-vm#15
Closes: asdf-vm#16
Closes: asdf-vm#19

Note that this PR also updates the base download URL from
"http://nodejs.org/dist" to "https://nodejs.org/dist" meaning that
before this PR (or asdf-vm#16 which is not merged), binaries where downloaded
over plain legacy HTTP! (those binaries where later executed by the
user). This is really bad and is fairly easy to exploit!

Related to: nvm-sh/nvm#736
Related to: nvm-sh/nvm#793
ypid added a commit to ypid/asdf-nodejs that referenced this issue Feb 20, 2017
@ypid
Check signatures/checksums to ensure authenticity
c213d9c 
Please refer to [Verifying Node.js Binaries](https://blog.continuation.io/verifying-node-js-binaries/)
for why this is important.

Related to: asdf-vm/asdf#158
Mitigates: nodejs/node#9859
Mitigates: nodejs/node#6821

Implementing this feature required some rework of the `install` script
which is included in this PR. The following other PR are
superseded/included in this one:

Closes: asdf-vm#15
Closes: asdf-vm#16
Closes: asdf-vm#19

Note that this PR also updates the base download URL from
"http://nodejs.org/dist" to "https://nodejs.org/dist" meaning that
before this PR (or asdf-vm#16 which is not merged), binaries where downloaded
over plain legacy HTTP! (those binaries where later executed by the
user). This is really bad and is fairly easy to exploit!

Related to: nvm-sh/nvm#736
Related to: nvm-sh/nvm#793
@Stratus3D
Copy link
Member

@ypid good catch.

We have a plugin-test command that ensures plugins work properly and meet our standards. Can you think of a way to automatically check for HTTP downloads in our plugin-test command? I suppose we stub curl and wget and see what arguments they are passed. If it's not automated it's probably not going to happen...

@ypid
Copy link
Contributor Author

ypid commented Mar 7, 2017
edited
Loading

The easiest and most effective step would be to check all source code of plugins and enforce that no unauthenticated legacy HTTP connection attempts are to be made. Ref: asdf-vm/asdf-nodejs#16

And maybe a warning could be given if no gpg command is used which is commonly used to verify signatures.

@danhper
Copy link
Member

danhper commented Mar 24, 2019

I will close this issue, as it has been inactive for a long time now.
If there is still interest, please feel free to open a new issue.
Thank you!

@danhper danhper closed this as completed Mar 24, 2019
@lestephane
Copy link

lestephane commented Jun 10, 2022
edited
Loading

I don't see this issue as having been addressed at all. Since plugins can be loaded from anywhere, there is a huge risk in doing asdf install this or asdf install that. There should be at least a way to restrict asdf to using core maintained plugins, and deny others. A denylist or allowlist capability is the very least that needs to be in place, until any thought has been given to a 'proper' solution (which may never come).

For now I deny untrusted plugins this way:

cd ~/.asdf/installs
# explicitly deny the installation of untrusted plugin 'git'
ln -s /dev/null git
# deny all other not-yet-installed plugins by default
chmod u-w .

@Stratus3D
Copy link
Member

@lestephane asdf doesn't implicitly install any plugins. You have to manually asdf plugin add <plugin> in order to get new code on your computer. Once you have installed a plugin it can download data from where ever it wants to, there is no way for us to constrain that. If you are concerned about where plugins pull data from I suggest you audit the source code before running asdf plugin add <plugin>. We'd love to offer better guarantees around plugins, but we don't have any maintainer time to dedicate to third party plugins.

@lestephane
Copy link

If you are concerned about where plugins pull data from I suggest you audit the source code before running asdf plugin add <plugin>.

In my case, I could not audit the code for the git plugin, because it is hosted on a gitlab instance that, at least today, was returning HTTP 429 (too many requests), which made me want to avoid using the plugin altogether.

I ended up denylisting as described, and used homebrew for linux to install the latest git instead. Maybe there is a way to benefit from the declarative clarity of .tool-versions, while using homebrew to actually install the versions. So that we can leverage all the work that's been done there, and the only code that people need to write for asdf is for niche needs, for packages that do not exist in homebrew yet.

And one could potentially, down the line, indicate that versions are to be taken exclusively from homebrew. Mind you, I only installed Homebrew for Linux today, because I did not know it event existed outside of the MacOS ecosystem. And so I do not not know yet how trustworthy packages there can be assumed to be. But I would trust those packages over asdf plugins for sure. There are analytics that I can use to make install decisions:

$ brew info git
...
==> Analytics
install: 226,185 (30 days), 759,196 (90 days), 2,934,353 (365 days)
install-on-request: 220,353 (30 days), 742,485 (90 days), 2,872,847 (365 days)
build-error: 15 (30 days)

@jthegedus
Copy link
Contributor

@lestephane Homebrew manages installation of entire dependency trees without your explicit approval, so as I see it, installing an asdf plugin or a Homebrew package is equally fraught with security concerns.

With asdf plugins you can specify the commit sha of the plugin when you add the plugin. So at least you know people can't change the plugin behaviour out from underneath you. You can even go so far as to Fork each plugin repo you use and maintain your own copy.

asdf as a solution is definitely not as sophiscated as Homebrew, but IMO that is a benefit of asdf. The lack of dependency management allows for an easier time managing the many versions of a tool across a single machines directory tree. We are version management first, not package management which Homebrew is. Trade offs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@ypid @danhper @Stratus3D @lestephane @jthegedus