Download of sensitive file through insecure connection¶
ID: js/insecure-download Kind: path-problem Security severity: 8.1 Severity: error Precision: high Tags: - security - external/cwe/cwe-829 Query suites: - javascript-code-scanning.qls - javascript-security-extended.qls - javascript-security-and-quality.qls Click to see the query in the CodeQL repository
Downloading executables or other sensitive files over an unencrypted connection can leave a server open to man-in-the-middle attacks (MITM). Such an attack can allow an attacker to insert arbitrary content into the downloaded file, and in the worst case, allow the attacker to execute arbitrary code on the vulnerable system.
Recommendation¶
Use a secure transfer protocol when downloading executables or other sensitive files.
Example¶
In this example, a server downloads a shell script from a remote URL using the node-fetch library, and then executes this shell script.
constfetch=require("node-fetch");constcp=require("child_process");fetch('http://mydownload.example.org/myscript.sh').then(res=>res.text()).then(script=>cp.execSync(script));The HTTP protocol is vulnerable to MITM, and thus an attacker could potentially replace the downloaded shell script with arbitrary code, which gives the attacker complete control over the system.
The issue has been fixed in the example below by replacing the HTTP protocol with the HTTPS protocol.
constfetch=require("node-fetch");constcp=require("child_process");fetch('https://mydownload.example.org/myscript.sh').then(res=>res.text()).then(script=>cp.execSync(script));References¶
Wikipedia: Man-in-the-middle attack
Common Weakness Enumeration: CWE-829.
