Skip to content

Ruby: Add InsecureDownload query#8658

Merged
hmac merged 6 commits intogithub:mainfrom
hmac:hmac/insecure-download
Apr 27, 2022
Merged

Ruby: Add InsecureDownload query#8658
hmac merged 6 commits intogithub:mainfrom
hmac:hmac/insecure-download

Conversation

@hmac
Copy link
Contributor

@hmac hmac commented Apr 4, 2022

This query finds cases where a potentially unsafe file is downloaded
over an unsecured connection.

@github-actions
Copy link
Contributor

github-actions bot commented Apr 4, 2022

QHelp previews:

ruby/ql/src/queries/security/cwe-829/InsecureDownload.qhelp

Download of sensitive file through insecure connection

Downloading executeables or other sensitive files over an unencrypted connection can leave a server open to man-in-the-middle attacks (MITM). Such an attack can allow an attacker to insert arbitrary content into the downloaded file, and in the worst case, allow the attacker to execute arbitrary code on the vulnerable system.

Recommendation

Use a secure transfer protocol when downloading executables or other sensitive files.

Example

In this example, a server downloads a shell script from a remote URL and then executes the script.

require "net/http"

script = Net::HTTP.new("http://mydownload.example.org").get("/myscript.sh").body
system(script)

The HTTP protocol is vulnerable to MITM, and thus an attacker could potentially replace the downloaded shell script with arbitrary code, which gives the attacker complete control over the system.

The issue has been fixed in the example below by replacing the HTTP protocol with the HTTPS protocol.

require "net/http"

script = Net::HTTP.new("https://mydownload.example.org").get("/myscript.sh").body
system(script)

References

1 similar comment
@github-actions
Copy link
Contributor

github-actions bot commented Apr 4, 2022

QHelp previews:

ruby/ql/src/queries/security/cwe-829/InsecureDownload.qhelp

Download of sensitive file through insecure connection

Downloading executeables or other sensitive files over an unencrypted connection can leave a server open to man-in-the-middle attacks (MITM). Such an attack can allow an attacker to insert arbitrary content into the downloaded file, and in the worst case, allow the attacker to execute arbitrary code on the vulnerable system.

Recommendation

Use a secure transfer protocol when downloading executables or other sensitive files.

Example

In this example, a server downloads a shell script from a remote URL and then executes the script.

require "net/http"

script = Net::HTTP.new("http://mydownload.example.org").get("/myscript.sh").body
system(script)

The HTTP protocol is vulnerable to MITM, and thus an attacker could potentially replace the downloaded shell script with arbitrary code, which gives the attacker complete control over the system.

The issue has been fixed in the example below by replacing the HTTP protocol with the HTTPS protocol.

require "net/http"

script = Net::HTTP.new("https://mydownload.example.org").get("/myscript.sh").body
system(script)

References

@hmac hmac force-pushed the hmac/insecure-download branch from c799e21 to b2f8529 Compare April 4, 2022 22:08
@github-actions
Copy link
Contributor

github-actions bot commented Apr 4, 2022

QHelp previews:

ruby/ql/src/queries/security/cwe-829/InsecureDownload.qhelp

Download of sensitive file through insecure connection

Downloading executeables or other sensitive files over an unencrypted connection can leave a server open to man-in-the-middle attacks (MITM). Such an attack can allow an attacker to insert arbitrary content into the downloaded file, and in the worst case, allow the attacker to execute arbitrary code on the vulnerable system.

Recommendation

Use a secure transfer protocol when downloading executables or other sensitive files.

Example

In this example, a server downloads a shell script from a remote URL and then executes the script.

require "net/http"

script = Net::HTTP.new("http://mydownload.example.org").get("/myscript.sh").body
system(script)

The HTTP protocol is vulnerable to MITM, and thus an attacker could potentially replace the downloaded shell script with arbitrary code, which gives the attacker complete control over the system.

The issue has been fixed in the example below by replacing the HTTP protocol with the HTTPS protocol.

require "net/http"

script = Net::HTTP.new("https://mydownload.example.org").get("/myscript.sh").body
system(script)

References

2 similar comments
@github-actions
Copy link
Contributor

github-actions bot commented Apr 4, 2022

QHelp previews:

ruby/ql/src/queries/security/cwe-829/InsecureDownload.qhelp

Download of sensitive file through insecure connection

Downloading executeables or other sensitive files over an unencrypted connection can leave a server open to man-in-the-middle attacks (MITM). Such an attack can allow an attacker to insert arbitrary content into the downloaded file, and in the worst case, allow the attacker to execute arbitrary code on the vulnerable system.

Recommendation

Use a secure transfer protocol when downloading executables or other sensitive files.

Example

In this example, a server downloads a shell script from a remote URL and then executes the script.

require "net/http"

script = Net::HTTP.new("http://mydownload.example.org").get("/myscript.sh").body
system(script)

The HTTP protocol is vulnerable to MITM, and thus an attacker could potentially replace the downloaded shell script with arbitrary code, which gives the attacker complete control over the system.

The issue has been fixed in the example below by replacing the HTTP protocol with the HTTPS protocol.

require "net/http"

script = Net::HTTP.new("https://mydownload.example.org").get("/myscript.sh").body
system(script)

References

@github-actions
Copy link
Contributor

github-actions bot commented Apr 4, 2022

QHelp previews:

ruby/ql/src/queries/security/cwe-829/InsecureDownload.qhelp

Download of sensitive file through insecure connection

Downloading executeables or other sensitive files over an unencrypted connection can leave a server open to man-in-the-middle attacks (MITM). Such an attack can allow an attacker to insert arbitrary content into the downloaded file, and in the worst case, allow the attacker to execute arbitrary code on the vulnerable system.

Recommendation

Use a secure transfer protocol when downloading executables or other sensitive files.

Example

In this example, a server downloads a shell script from a remote URL and then executes the script.

require "net/http"

script = Net::HTTP.new("http://mydownload.example.org").get("/myscript.sh").body
system(script)

The HTTP protocol is vulnerable to MITM, and thus an attacker could potentially replace the downloaded shell script with arbitrary code, which gives the attacker complete control over the system.

The issue has been fixed in the example below by replacing the HTTP protocol with the HTTPS protocol.

require "net/http"

script = Net::HTTP.new("https://mydownload.example.org").get("/myscript.sh").body
system(script)

References

@hmac hmac added the Awaiting evaluation Do not merge yet, this PR is waiting for an evaluation to finish label Apr 4, 2022
@hmac hmac marked this pull request as ready for review April 14, 2022 02:06
@hmac hmac requested a review from a team as a code owner April 14, 2022 02:06
@github-actions
Copy link
Contributor

github-actions bot commented Apr 14, 2022

QHelp previews:

ruby/ql/src/queries/security/cwe-829/InsecureDownload.qhelp

Download of sensitive file through insecure connection

Downloading executeables or other sensitive files over an unencrypted connection can leave a server open to man-in-the-middle attacks (MITM). Such an attack can allow an attacker to insert arbitrary content into the downloaded file, and in the worst case, allow the attacker to execute arbitrary code on the vulnerable system.

Recommendation

Use a secure transfer protocol when downloading executables or other sensitive files.

Example

In this example, a server downloads a shell script from a remote URL and then executes the script.

require "net/http"

script = Net::HTTP.new("http://mydownload.example.org").get("/myscript.sh").body
system(script)

The HTTP protocol is vulnerable to MITM, and thus an attacker could potentially replace the downloaded shell script with arbitrary code, which gives the attacker complete control over the system.

The issue has been fixed in the example below by replacing the HTTP protocol with the HTTPS protocol.

require "net/http"

script = Net::HTTP.new("https://mydownload.example.org").get("/myscript.sh").body
system(script)

References

alexrford
alexrford reviewed Apr 26, 2022
View reviewed changes
Copy link
Contributor

@alexrford alexrford left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, just some nitpicks and points I was unsure about. I've started another DCA run as the previous one seems to have failed.

@alexrford
Copy link
Contributor

alexrford commented Apr 26, 2022

I've started another DCA run as the previous one seems to have failed.

Looks like this is due to an unrelated build failure, I think it may be fixed by a rebase or merge of main.

@hmac hmac force-pushed the hmac/insecure-download branch from 7636abf to f35379b Compare April 27, 2022 00:47
@hmac hmac merged commit ba1d43d into github:main Apr 27, 2022
@hmac hmac deleted the hmac/insecure-download branch April 27, 2022 23:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@alexrford alexrford alexrford approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

Awaiting evaluation Do not merge yet, this PR is waiting for an evaluation to finish documentation Ruby

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hmac @alexrford