Dependency download using unencrypted communication channel¶

ID: js/insecure-dependency
Kind: problem
Security severity: 8.1
Severity: warning
Precision: high
Tags:
   - security
   - external/cwe/cwe-300
   - external/cwe/cwe-319
   - external/cwe/cwe-494
   - external/cwe/cwe-829
Query suites:
   - javascript-code-scanning.qls
   - javascript-security-extended.qls
   - javascript-security-and-quality.qls

Click to see the query in the CodeQL repository

Using an insecure protocol like HTTP or FTP to download build dependencies makes the build process vulnerable to a man-in-the-middle (MITM) attack.

This can allow attackers to inject malicious code into the downloaded dependencies, and thereby infect the build artifacts and execute arbitrary code on the machine building the artifacts.

Recommendation¶

Always use a secure protocol, such as HTTPS or SFTP, when downloading artifacts from an URL.

Example¶

The below example shows a package.json file that downloads a dependency using the insecure HTTP protocol.

{
  "name": "example-project",
  "dependencies": {
    "unencrypted": "http://example.org/foo/tarball/release/0.0.1",
    "lodash": "^4.0.0"
  }
}

The fix is to change the protocol to HTTPS.

{
  "name": "example-project",
  "dependencies": {
    "unencrypted": "https://example.org/foo/tarball/release/0.0.1",
    "lodash": "^4.0.0"
  }
}

References¶

Jonathan Leitschuh: Want to take over the Java ecosystem? All you need is a MITM!
Max Veytsman: How to take over the computer of any Java (or Closure or Scala) Developer.
Wikipedia: Supply chain attack.
Wikipedia: Man-in-the-middle attack.
Common Weakness Enumeration: CWE-300.
Common Weakness Enumeration: CWE-319.
Common Weakness Enumeration: CWE-494.
Common Weakness Enumeration: CWE-829.

© GitHub, Inc.
Terms
Privacy