frogbot
frogbot copied to clipboard
jfrog
Unencrypted protocol used.
Describe the bug "The call to request() in index.js on line 1468 uses an unencrypted protocol instead of an encrypted protocol to communicate with the server."
To Reproduce From the Fortify tool we found the below issue while scanning the repository.
Expected behavior No critical issues reported.
Screenshots NA Versions
- Frogbot version: 2.1.2
- Operating system:
- JFrog Artifactory version:
- JFrog Xray version:
Additional context All communication over HTTP, FTP, or gopher is unauthenticated and unencrypted. It is therefore subject to compromise, especially in the mobile environment where devices frequently connect to unsecured, public, wireless networks using WiFi connections.
Example 1: The following example reads data using the HTTP protocol (instead of using HTTPS). var http = require('http'); ... http.request(options, function(res){ ... }); ...
The incoming http.IncomingMessage object,res, may have been compromised as it is delivered over an unencrypted and unauthenticated channel.
@brijeshsch, Thanks for reporting this issue! We take seriously security issues. It sounds like the issue appears in the Typescript/Javascript code of the GitHub Action. However, In the GitHub action code, we only download the Frogbot executable from https://releases.jfrog.io/artifactory/frogbot. It is possible that the HTTP protocol you see is in use in one of the dependencies.
Do you have any more information about this error, such as stacktrace or anything that may imply in which dependency this problem occurs?
Thanks!
@yahavi I dont have any stacktrace as this scan was done on the repository before we enabled this action on our Github Enterprise Server. Thanks