Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Command example should link directly to repo to avoid supply chain vulnerabilities #335

Open
douglasg14b opened this issue Mar 7, 2024 · 0 comments
Open

[Security] Command example should link directly to repo to avoid supply chain vulnerabilities #335

douglasg14b opened this issue Mar 7, 2024 · 0 comments

Comments

@douglasg14b
Copy link

douglasg14b commented Mar 7, 2024
edited
Loading

Supply chain attacks are running more and more rampant, a common vector for those are services that use URL shorteners to point back to their official repositories or download links.

These are especially effective at targeting developers who often trust commands that they are given from official repos.

It is impossible to validate that a shortened URL is not malicious unless you follow investigate it yourself. This is even more dangerous when it's expected to be blindly ran in a command line environment. Increasing the risk of supply chain vulnerabilities either in repo, or in forks/look-alikes.

Additionally there's high propensity of link shortening services to inject their own assets into shortened links as they try and aggressively monetize. Putting users of this at risk in their most vulnerable location (Their router).

Links back to install scripts should link directly to the source, not to an unknown third party.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@douglasg14b