rules_go icon indicating copy to clipboard operation
rules_go copied to clipboard
verified publisher icon bazelbuild

Enforce SHA-256 for all external downloads

Open tgovacul opened this issue 1 month ago • 3 comments

Mitigates supply-chain RCE (Google VRP issue 462506853). Any genrule that downloads external tarballs now must provide SHA-256; otherwise the build fails.

What type of PR is this?

Uncomment one line below and remove others.

Bug fix Feature Documentation Other

What does this PR do? Why is it needed?

Which issues(s) does this PR fix?

Fixes #

Other notes for review

tgovacul avatar Nov 21 '25 10:11 tgovacul

Summary

Introduces //tools:download.bzl with secure_download() macro.
Build fails if SHA-256 missing/wrong – mitigates supply-chain RCE
reported in Google VRP issue 462506853.

Testing

bazel test //... passes; intentional hash mismatch fails as expected.

tgovacul avatar Nov 21 '25 10:11 tgovacul

CLA already signed – see https://cla.developers.google.com/clas/signed (Luca Vogt)

tgovacul avatar Nov 21 '25 11:11 tgovacul

Could you explain this a bit? It doesn't really make any sense.

  • What is the issue 462506853? Please link?
  • What genrules in this repo download external tarballs?
  • What does that cause remote code execution?
  • What's the purpose of introducing this macro, since it's not called anywhere?

jayconrod avatar Nov 21 '25 15:11 jayconrod