-
-
Notifications
You must be signed in to change notification settings - Fork 150
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
Add signature verification to V2 tool install endpoint #826
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
umbynos
added
type: enhancement
Proposed improvement
topic: code
Related to content of the project itself
topic: security
Related to the protection of user data
labels
Sep 7, 2023
Codecov ReportPatch coverage:
Additional details and impacted files@@ Coverage Diff @@
## main #826 +/- ##
==========================================
+ Coverage 16.88% 17.32% +0.44%
==========================================
Files 53 53
Lines 4075 4081 +6
==========================================
+ Hits 688 707 +19
+ Misses 3287 3273 -14
- Partials 100 101 +1
Flags with carried forward coverage won't be shown. Click here to find out more.
☔ View full report in Codecov by Sentry. |
2 tasks
alessio-perugini
approved these changes
Sep 7, 2023
The endpoint affected is `/v2/pkgs/tools/installed`. If the signature is invalid the endpoint returns 500 with "rsa verification error" If the signature is not present we try to install the tool using "name, version, packager" arguments
umbynos
force-pushed
the
add-signature-tool-install
branch
from
September 25, 2023 14:39
b7d18c2
to
a839105
Compare
rhaidiz
approved these changes
Sep 25, 2023
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Labels
topic: code
Related to content of the project itself
topic: security
Related to the protection of user data
type: enhancement
Proposed improvement
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Please check if the PR fulfills these requirements
before creating one)
security enhancement in the V2 tools install endpoint
The "URL" and "Checksum" arguments of the
/v2/pkgs/tools/installed
endpoint are overriding "name", "packager" and "version" without performing signature verification:If "URL" or "Checksum" or "Signature" arguments are not present, we try to install the tool from the loaded package_index.json:
With the same CURL listed above, this is the result:
The signature is used to verify the URL.
If the signature is present but does not match:
Technically no, since the Web Editor is already sending the "signature" argument in the request to the agent.