Skip to content

Ruby: Add InsecureDownload query #8658

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Apr 27, 2022
Merged

Ruby: Add InsecureDownload query #8658

merged 6 commits into from
Apr 27, 2022

Conversation

hmac
Copy link
Contributor

@hmac hmac commented Apr 4, 2022

This query finds cases where a potentially unsafe file is downloaded
over an unsecured connection.

@github-actions
Copy link
Contributor

github-actions bot commented Apr 4, 2022

QHelp previews:

ruby/ql/src/queries/security/cwe-829/InsecureDownload.qhelp

Download of sensitive file through insecure connection

Downloading executeables or other sensitive files over an unencrypted connection can leave a server open to man-in-the-middle attacks (MITM). Such an attack can allow an attacker to insert arbitrary content into the downloaded file, and in the worst case, allow the attacker to execute arbitrary code on the vulnerable system.

Recommendation

Use a secure transfer protocol when downloading executables or other sensitive files.

Example

In this example, a server downloads a shell script from a remote URL and then executes the script.

require "net/http"

script = Net::HTTP.new("http://mydownload.example.org").get("/myscript.sh").body
system(script)

The HTTP protocol is vulnerable to MITM, and thus an attacker could potentially replace the downloaded shell script with arbitrary code, which gives the attacker complete control over the system.

The issue has been fixed in the example below by replacing the HTTP protocol with the HTTPS protocol.

require "net/http"

script = Net::HTTP.new("https://mydownload.example.org").get("/myscript.sh").body
system(script)

References

1 similar comment
@github-actions
Copy link
Contributor

github-actions bot commented Apr 4, 2022

QHelp previews:

ruby/ql/src/queries/security/cwe-829/InsecureDownload.qhelp

Download of sensitive file through insecure connection

Downloading executeables or other sensitive files over an unencrypted connection can leave a server open to man-in-the-middle attacks (MITM). Such an attack can allow an attacker to insert arbitrary content into the downloaded file, and in the worst case, allow the attacker to execute arbitrary code on the vulnerable system.

Recommendation

Use a secure transfer protocol when downloading executables or other sensitive files.

Example

In this example, a server downloads a shell script from a remote URL and then executes the script.

require "net/http"

script = Net::HTTP.new("http://mydownload.example.org").get("/myscript.sh").body
system(script)

The HTTP protocol is vulnerable to MITM, and thus an attacker could potentially replace the downloaded shell script with arbitrary code, which gives the attacker complete control over the system.

The issue has been fixed in the example below by replacing the HTTP protocol with the HTTPS protocol.

require "net/http"

script = Net::HTTP.new("https://mydownload.example.org").get("/myscript.sh").body
system(script)

References

@hmac hmac force-pushed the hmac/insecure-download branch from c799e21 to b2f8529 Compare April 4, 2022 22:08
@github-actions
Copy link
Contributor

github-actions bot commented Apr 4, 2022

QHelp previews:

ruby/ql/src/queries/security/cwe-829/InsecureDownload.qhelp

Download of sensitive file through insecure connection

Downloading executeables or other sensitive files over an unencrypted connection can leave a server open to man-in-the-middle attacks (MITM). Such an attack can allow an attacker to insert arbitrary content into the downloaded file, and in the worst case, allow the attacker to execute arbitrary code on the vulnerable system.

Recommendation

Use a secure transfer protocol when downloading executables or other sensitive files.

Example

In this example, a server downloads a shell script from a remote URL and then executes the script.

require "net/http"

script = Net::HTTP.new("http://mydownload.example.org").get("/myscript.sh").body
system(script)

The HTTP protocol is vulnerable to MITM, and thus an attacker could potentially replace the downloaded shell script with arbitrary code, which gives the attacker complete control over the system.

The issue has been fixed in the example below by replacing the HTTP protocol with the HTTPS protocol.

require "net/http"

script = Net::HTTP.new("https://mydownload.example.org").get("/myscript.sh").body
system(script)

References

2 similar comments
@github-actions
Copy link
Contributor

github-actions bot commented Apr 4, 2022

QHelp previews:

ruby/ql/src/queries/security/cwe-829/InsecureDownload.qhelp

Download of sensitive file through insecure connection

Downloading executeables or other sensitive files over an unencrypted connection can leave a server open to man-in-the-middle attacks (MITM). Such an attack can allow an attacker to insert arbitrary content into the downloaded file, and in the worst case, allow the attacker to execute arbitrary code on the vulnerable system.

Recommendation

Use a secure transfer protocol when downloading executables or other sensitive files.

Example

In this example, a server downloads a shell script from a remote URL and then executes the script.

require "net/http"

script = Net::HTTP.new("http://mydownload.example.org").get("/myscript.sh").body
system(script)

The HTTP protocol is vulnerable to MITM, and thus an attacker could potentially replace the downloaded shell script with arbitrary code, which gives the attacker complete control over the system.

The issue has been fixed in the example below by replacing the HTTP protocol with the HTTPS protocol.

require "net/http"

script = Net::HTTP.new("https://mydownload.example.org").get("/myscript.sh").body
system(script)

References

@github-actions
Copy link
Contributor

github-actions bot commented Apr 4, 2022

QHelp previews:

ruby/ql/src/queries/security/cwe-829/InsecureDownload.qhelp

Download of sensitive file through insecure connection

Downloading executeables or other sensitive files over an unencrypted connection can leave a server open to man-in-the-middle attacks (MITM). Such an attack can allow an attacker to insert arbitrary content into the downloaded file, and in the worst case, allow the attacker to execute arbitrary code on the vulnerable system.

Recommendation

Use a secure transfer protocol when downloading executables or other sensitive files.

Example

In this example, a server downloads a shell script from a remote URL and then executes the script.

require "net/http"

script = Net::HTTP.new("http://mydownload.example.org").get("/myscript.sh").body
system(script)

The HTTP protocol is vulnerable to MITM, and thus an attacker could potentially replace the downloaded shell script with arbitrary code, which gives the attacker complete control over the system.

The issue has been fixed in the example below by replacing the HTTP protocol with the HTTPS protocol.

require "net/http"

script = Net::HTTP.new("https://mydownload.example.org").get("/myscript.sh").body
system(script)

References

@hmac hmac added the Awaiting evaluation Do not merge yet, this PR is waiting for an evaluation to finish label Apr 4, 2022
@hmac hmac marked this pull request as ready for review April 14, 2022 02:06
@hmac hmac requested a review from a team as a code owner April 14, 2022 02:06
@github-actions
Copy link
Contributor

QHelp previews:

ruby/ql/src/queries/security/cwe-829/InsecureDownload.qhelp

Download of sensitive file through insecure connection

Downloading executeables or other sensitive files over an unencrypted connection can leave a server open to man-in-the-middle attacks (MITM). Such an attack can allow an attacker to insert arbitrary content into the downloaded file, and in the worst case, allow the attacker to execute arbitrary code on the vulnerable system.

Recommendation

Use a secure transfer protocol when downloading executables or other sensitive files.

Example

In this example, a server downloads a shell script from a remote URL and then executes the script.

require "net/http"

script = Net::HTTP.new("http://mydownload.example.org").get("/myscript.sh").body
system(script)

The HTTP protocol is vulnerable to MITM, and thus an attacker could potentially replace the downloaded shell script with arbitrary code, which gives the attacker complete control over the system.

The issue has been fixed in the example below by replacing the HTTP protocol with the HTTPS protocol.

require "net/http"

script = Net::HTTP.new("https://mydownload.example.org").get("/myscript.sh").body
system(script)

References

alexrford
alexrford reviewed Apr 26, 2022
View reviewed changes
Copy link
Contributor

@alexrford alexrford left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, just some nitpicks and points I was unsure about. I've started another DCA run as the previous one seems to have failed.

@alexrford
Copy link
Contributor

I've started another DCA run as the previous one seems to have failed.

Looks like this is due to an unrelated build failure, I think it may be fixed by a rebase or merge of main.

@hmac hmac force-pushed the hmac/insecure-download branch from 7636abf to f35379b Compare April 27, 2022 00:47
@hmac hmac merged commit ba1d43d into github:main Apr 27, 2022
@hmac hmac deleted the hmac/insecure-download branch April 27, 2022 23:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alexrford alexrford alexrford approved these changes

Assignees
No one assigned
Labels
Awaiting evaluation Do not merge yet, this PR is waiting for an evaluation to finish documentation Ruby
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@hmac @alexrford