CodeQL documentation

Dependency download using unencrypted communication channel

ID: js/insecure-dependency
Kind: problem
Security severity: 8.1
Severity: warning
Precision: high
Tags:
   - security
   - external/cwe/cwe-300
   - external/cwe/cwe-319
   - external/cwe/cwe-494
   - external/cwe/cwe-829
Query suites:
   - javascript-code-scanning.qls
   - javascript-security-extended.qls
   - javascript-security-and-quality.qls

Click to see the query in the CodeQL repository

Using an insecure protocol like HTTP or FTP to download build dependencies makes the build process vulnerable to a man-in-the-middle (MITM) attack.

This can allow attackers to inject malicious code into the downloaded dependencies, and thereby infect the build artifacts and execute arbitrary code on the machine building the artifacts.

Recommendation

Always use a secure protocol, such as HTTPS or SFTP, when downloading artifacts from an URL.

Example

The below example shows a package.json file that downloads a dependency using the insecure HTTP protocol.

{
  "name": "example-project",
  "dependencies": {
    "unencrypted": "http://example.org/foo/tarball/release/0.0.1",
    "lodash": "^4.0.0"
  }
}

The fix is to change the protocol to HTTPS.

{
  "name": "example-project",
  "dependencies": {
    "unencrypted": "https://example.org/foo/tarball/release/0.0.1",
    "lodash": "^4.0.0"
  }
}

References

  • © GitHub, Inc.
  • Terms
  • Privacy