scorecard icon indicating copy to clipboard operation
scorecard copied to clipboard
verified publisher icon ossf

Signed Releases check misses content packaged in tar/zip files

Open sudo-bmitch opened this issue 2 years ago • 8 comments

Describe the bug The scan for signatures requires that the metadata is packaged with a specific filename in the release artifacts. However this check does not inspect the contents of any tar or zip files, leading to false negatives when the signatures are embedded in one of those.

Reproduction steps Steps to reproduce the behavior:

This could happen if releases are packaged:

  • Per platform, with binaries, signatures, and other metadata in a single tar per platform.
  • One tar for all artifacts in the release.
  • Separate tar for metadata from the released binaries.

Expected behavior Encountered tar/tgz/zip files should be optionally downloaded and extracted to list contents before marking the check as failed.

sudo-bmitch avatar Nov 18 '23 21:11 sudo-bmitch

Hi, could you provide some more information about how you're using GitHub releases to manage this distribution? Is there a sample repo?

raghavkaul avatar Nov 20 '23 15:11 raghavkaul

Two examples I have available are my own regclient project that puts all the metadata in a tgz (it's a lot of small files that get less than 1% of the downloads), and go-containerregistry which doesn't have the signature in there but could include that along side the binaries they package for each platform.

sudo-bmitch avatar Nov 20 '23 19:11 sudo-bmitch

Could extracting zip files introduce code execution, zip bombs, and path traversal attacks?

naveensrinivasan avatar Mar 13 '24 00:03 naveensrinivasan

Could extracting zip files introduce code execution, zip bombs, and path traversal attacks?

I believe a check could be written that parses the zip/tar without writing the contents to the local filesystem, mitigating these concerns.

sudo-bmitch avatar Mar 13 '24 14:03 sudo-bmitch

Could extracting zip files introduce code execution, zip bombs, and path traversal attacks?

I believe a check could be written that parses the zip/tar without writing the contents to the local filesystem, mitigating these concerns.

I agree.

naveensrinivasan avatar Mar 13 '24 14:03 naveensrinivasan

This issue has been marked stale because it has been open for 60 days with no activity.

github-actions[bot] avatar Jul 11 '24 01:07 github-actions[bot]

This is still triggering false positives.

sudo-bmitch avatar Jul 11 '24 10:07 sudo-bmitch

This issue has been marked stale because it has been open for 60 days with no activity.

github-actions[bot] avatar Nov 10 '24 02:11 github-actions[bot]