From 7915ac567ab19700e44ad6b5d8ef0b85e48a9e75 Mon Sep 17 00:00:00 2001
From: Iskren Chernev <me@iskren.info>
Date: Tue, 23 Aug 2022 15:31:12 +0300
Subject: [PATCH] Bugfix: Prevent cleartext transmission of tz data during
 build

grunt build script downloaded tz data via unencrypted ftp, which could
enable an attacker to MITM and provide a bogus tz data, compromising the
build pipeline or the whole build moment.

Switch to using an https endpoing provided by IANA to avoid this.

Advisory: https://github.com/moment/moment-timezone/security/advisories/GHSA-v78c-4p63-2j6c
---
 tasks/data-download.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tasks/data-download.js b/tasks/data-download.js
index d232939f..35565324 100644
--- a/tasks/data-download.js
+++ b/tasks/data-download.js
@@ -9,7 +9,7 @@ module.exports = function (grunt) {
 
 		var done  = this.async(),
 			src   = (version === 'latest' ?
-				'ftp://ftp.iana.org/tz/tzdata-latest.tar.gz' :
+				'https://data.iana.org/time-zones/tzdata-latest.tar.gz' :
 				'https://data.iana.org/time-zones/releases/tzdata' + version + '.tar.gz'),
 			curl  = path.resolve('temp/curl', version, 'data.tar.gz'),
 			dest  = path.resolve('temp/download', version);