You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
My name is Maciej Mensfeld and I run a research security project called diffend.io.
I've noticed, that this library downloads some external resources and uses them. While it's a totally common pattern, what is lacking here is integrity verification.
You could verify the integrity of the downloaded files before using it by comparing the file hash to a hardcoded, expected file hash. This is essentially what package managers do to verify the integrity of downloaded packages.
Doing this would prevent attack scenarios in which Rust binary from Cargo is manipulated.
I do understand it's a bit more work but this would improve security of this gem. I noticed many other gems use it and it may be beneficial.
Hey,
My name is Maciej Mensfeld and I run a research security project called diffend.io.
I've noticed, that this library downloads some external resources and uses them. While it's a totally common pattern, what is lacking here is integrity verification.
You could verify the integrity of the downloaded files before using it by comparing the file hash to a hardcoded, expected file hash. This is essentially what package managers do to verify the integrity of downloaded packages.
Doing this would prevent attack scenarios in which Rust binary from Cargo is manipulated.
I do understand it's a bit more work but this would improve security of this gem. I noticed many other gems use it and it may be beneficial.
Have a great day :)
thermite/lib/thermite/custom_binary.rb
Line 56 in 9b380eb
The text was updated successfully, but these errors were encountered: