Lack of integrity verification of downloaded external dependencies

[mensfeld]

Hey,

My name is Maciej Mensfeld and I run a research security project called diffend.io.

I've noticed, that this library downloads some external resources and uses them. While it's a totally common pattern, what is lacking here is integrity verification.

You could verify the integrity of the downloaded file before using it by comparing the file hash to a hardcoded, expected file hash.

This is essentially what package managers do to verify the integrity of downloaded packages.

Doing this would prevent attack scenarios in which SwiftLint is manipulated.

Have a great day :)

[ashfurrow]

Hi Maciej 👋 You are correct that we download resources from GitHub to execute:

danger-ruby-swiftlint/ext/swiftlint/Rakefile

Lines 10 to 22 in 7736083

	REPO = 'https://github.com/realm/SwiftLint'
	VERSION = ENV['SWIFTLINT_VERSION'] || DangerSwiftlint::SWIFTLINT_VERSION
	ASSET = 'portable_swiftlint.zip'
	URL = "#{REPO}/releases/download/#{VERSION}/#{ASSET}"
	DESTINATION = File.expand_path(File.join(File.dirname(__FILE__), 'bin'))
	puts "Downloading swiftlint@#{VERSION}"
	sh [
	"mkdir -p '#{DESTINATION}'",
	"curl -s -L #{URL} -o #{ASSET}",
	"unzip -q #{ASSET} -d '#{DESTINATION}'",
	"rm #{ASSET}"
	].join(' && ')

And you are correct that we could hardcode and md5 hash (for example) into our codebase to verify the integrity of SwiftLint. We haven't done so because it hasn't been a priority; we rely on HTTPS to provide reasonable-ish security. For a tool that runs on CI servers, this has been sufficient.

That said, it would not be difficult to add an integrity check (and corresponding unit test). I'm going to leave this issue open in case anyone would like to add this.

[mensfeld]

Thank you. Much appreciated.