Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential security issue in ESSR #429

Closed
dlesl opened this issue May 26, 2017 · 5 comments
Closed

Potential security issue in ESSR #429

dlesl opened this issue May 26, 2017 · 5 comments
Assignees
@vspinu
Labels
bug:severe process:remote

Comments

@dlesl
Copy link

dlesl commented May 26, 2017

Hi!
While using ESS remotely (which worked great), I noticed that ESS instructs the remote server to load and execute a .rda file from a 3rd party server over HTTP (see etc/ESSR/LOADREMOTE) Since this file can contain arbitrary code, this could be an issue. Would it be possible to either load the .rda from a more secure address (e.g. https://raw.github...), or even better, just send the R source code over ssh? On my machine it takes <100 ms to parse, and I think this would increase reliability too, for example in cases where the remote server is behind a firewall.
@vspinu
Copy link
Member

vspinu commented May 31, 2017

This is high priority. We really need to do something about it. That probably means shipping a tar.gz with the distribution.

@mmaechler
Copy link
Member

Can we not just switch from http: to https: ?

vspinu added a commit that referenced this issue Jun 3, 2017
@vspinu
Download rda files from https location
f2643cd 
  Addresses #429
@vspinu
Copy link
Member

vspinu commented Jun 3, 2017

Ok. I have done that. There was a reason why it's fetched from a remote. Back then I couldn't find a satisfactory solution for the file transfer, but things might have changed.

@brendan-r
Copy link

Out of interest, why pull a binary from a personal server containing an R environment, containing a single R function? Why not just include that function as part of ESS?

(This behavior has spooked me a little.)

@vspinu
Copy link
Member

vspinu commented Feb 10, 2018

It contains quite a bit more than one function.

I think the right approach would be to send the archive through TRAMP. Current situation is clearly unsatisfactory.

jabranham added a commit to jabranham/ESS that referenced this issue Aug 23, 2018
@jabranham
Modify how ESSR gets loaded on a remote machine
2cf090a 
Instead of downloading ESSR.rda from a website, we'll transfer it from
the local machine to the remote machine. This will probably be faster
anyway if the two computers are on the same network.

Closes emacs-ess#429
@jabranham jabranham mentioned this issue Aug 23, 2018
Closed
jabranham added a commit to jabranham/ESS that referenced this issue Aug 26, 2018
@jabranham
Modify how ESSR gets loaded on a remote machine
338dfe8 
Instead of downloading ESSR.rda from a website, we'll transfer it from
the local machine to the remote machine. This will probably be faster
anyway if the two computers are on the same network.

Closes emacs-ess#429
jabranham added a commit to jabranham/ESS that referenced this issue May 29, 2019
@jabranham
Avoid downloading an ESSR binary in ess-remote
aba47e3 
Closes emacs-ess#429
@jabranham jabranham mentioned this issue May 29, 2019
Closed
@vspinu vspinu self-assigned this May 30, 2019
@vspinu vspinu closed this as completed in d013966 Jun 9, 2019
@vspinu vspinu mentioned this issue Feb 6, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vspinu vspinu

Labels
bug:severe process:remote
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Avoid downloading an ESSR binary on remote computers jabranham/ESS
5 participants
@mmaechler @vspinu @brendan-r @lionel- @dlesl