Dependency download using unencrypted communication channel¶
ID: rb/insecure-dependency Kind: problem Severity: warning Precision: high Tags: - security - external/cwe/cwe-300 - external/cwe/cwe-319 - external/cwe/cwe-494 - external/cwe/cwe-829 Query suites: - ruby-code-scanning.qls - ruby-security-extended.qls - ruby-security-and-quality.qls
Using an insecure protocol like HTTP or FTP to download dependencies makes the build process vulnerable to a man-in-the-middle (MITM) attack.
This can allow attackers to inject malicious code into the downloaded dependencies, and thereby infect the build artifacts and execute arbitrary code on the machine building the artifacts.
Always use a secure protocol, such as HTTPS or SFTP, when downloading artifacts from a URL.
The below example shows a
Gemfile that specifies a gem source using the insecure HTTP protocol.
source "http://rubygems.org" gem "my-gem-a", "1.2.3"
The fix is to change the protocol to HTTPS.
source "https://rubygems.org" gem "my-gem-a", "1.2.3"
Jonathan Leitschuh: Want to take over the Java ecosystem? All you need is a MITM!
Wikipedia: Supply chain attack.
Wikipedia: Man-in-the-middle attack.
Common Weakness Enumeration: CWE-300.
Common Weakness Enumeration: CWE-319.
Common Weakness Enumeration: CWE-494.
Common Weakness Enumeration: CWE-829.