actions icon indicating copy to clipboard operation
actions copied to clipboard

Published 20 hours ago verified publisher icon haskell

Unvalidated download of the stack binary (and probably others).

Open mbj opened this issue 2 years ago • 4 comments

While browsing this actions source code I stumbled over the fact that the downloads are unvalidated.

https://github.com/haskell/actions/blob/main/setup/src/installer.ts#L208-L209

Yes, its unlikely that someone controls github DNS + can fake an SSL cert to smuggle a bad binary into a github action: Its still possible. And as this action is quite popular I wanted to raise the issue here.

Its likely other downloads are also unvaldiated. If I had the time resources I'd PR a change that would allow us to register expected sha256 of the various things this action could download, possibly even the GPG keys so we do not have to constantly churn hash updates. Given I do not have the time I opened this issue to potentially trigger someone else energy ;)

Anyhow for the moment to put my mind at ease I switched away from this action and simply do this in my builds:

set -e
curl --location --output stack https://github.com/commercialhaskell/stack/releases/download/v2.9.1/stack-2.9.1-linux-x86_64-bin
echo 'dc4c60b2f018aadb2ebd40d81e5d10aada881d804a69911eea2da67906fc058c  stack' | sha256sum -c
chmod +x ./stack

Does not get me implicit stack updates in any way but at least puts my paranoid mind at ease.

mbj avatar Sep 30 '22 22:09 mbj

@mbj Thanks for reporting!

main/setup/src/installer.ts#L208-L209

Please use permalinks in issue reports; as you can see, your link is already shifted.

andreasabel avatar Dec 29 '22 13:12 andreasabel

Please use permalinks in issue reports; as you can see, your link is already shifted.

sorry, oversight on my side.

mbj avatar Dec 29 '22 19:12 mbj

So, was it this you meant? https://github.com/haskell/actions/blob/93635e8c4ac823f55cf3444537a63d3f2fd589de/setup/src/installer.ts?rgh-link-date=2022-09-30T22%3A32%3A17Z#L222-L223

The hashes could live in this file: https://github.com/haskell/actions/blob/93635e8c4ac823f55cf3444537a63d3f2fd589de/setup/src/versions.json#L48-L55

But this file only states which versions the action knows of. You can still instruct it to download a stack version not in the list, by giving the full stack version number. This feature should be preserved. So, say the action would know certain stack versions with their tar hashes, it could verify the tars if it has a hash and skip the step with a warning if it doesn't.

andreasabel avatar Dec 30 '22 06:12 andreasabel

Yeah, so overall there is no validation of the content of the stack binary being done. Which is standard practice for any download in the space. Stack by itself validates the GHC download hash for example before installing a GHC.

For the feature of "use your own stack version" I recommend to also allow but not require people to specify the hash of unknown versions.

mbj avatar Dec 31 '22 10:12 mbj