[SECURITY] Lua Artifacts are downloaded insecurely
JLLeitschuh opened this issue · comments
CWE-829: Inclusion of Functionality from Untrusted Control Sphere
CWE-494: Download of Code Without Integrity Check
This project contain files that indicate that this project is resolving dependencies over HTTP instead of HTTPS. Any of these artifacts can be MITMed to maliciously compromise them and infect the build artifacts that were produced.
This vulnerability has a CVSS v3.0 Base Score of 8.1/10
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
This isn't just theoretical
POC code has existed since 2014 to maliciously compromise software downloaded inflight.
See:
- Want to take over the Java ecosystem? All you need is a MITM!
- https://max.computer/blog/how-to-take-over-the-computer-of-any-java-or-clojure-or-scala-developer/
- https://github.com/mveytsman/dilettante
MITM Attacks Increasingly Common
See:
- https://serverfault.com/a/153065
- https://security.stackexchange.com/a/12050
- Comcast continues to inject its own code into websites you visit (over HTTP)
Source Locations
gh-actions-lua/install-lua/main.js
Line 42 in 596c2b8
gh-actions-lua/install-lua/main.js
Line 77 in 596c2b8
Thanks for catching this. We still need to add checksum validation
I'm chatting with the GH Security team about wiring that in directly to the exposed API.
This issue is now being tracked here: actions/toolkit#162