CodeQL documentation

Download of sensitive file through insecure connection

ID: js/insecure-download
Kind: path-problem
Security severity: 8.1
Severity: error
Precision: high
Tags:
   - security
   - external/cwe/cwe-829
Query suites:
   - javascript-code-scanning.qls
   - javascript-security-extended.qls
   - javascript-security-and-quality.qls

Click to see the query in the CodeQL repository

Downloading executables or other sensitive files over an unencrypted connection can leave a server open to man-in-the-middle attacks (MITM). Such an attack can allow an attacker to insert arbitrary content into the downloaded file, and in the worst case, allow the attacker to execute arbitrary code on the vulnerable system.

Recommendation

Use a secure transfer protocol when downloading executables or other sensitive files.

Example

In this example, a server downloads a shell script from a remote URL using the node-fetch library, and then executes this shell script.

const fetch = require("node-fetch");
const cp = require("child_process");

fetch('http://mydownload.example.org/myscript.sh')
    .then(res => res.text())
    .then(script => cp.execSync(script));

The HTTP protocol is vulnerable to MITM, and thus an attacker could potentially replace the downloaded shell script with arbitrary code, which gives the attacker complete control over the system.

The issue has been fixed in the example below by replacing the HTTP protocol with the HTTPS protocol.

const fetch = require("node-fetch");
const cp = require("child_process");

fetch('https://mydownload.example.org/myscript.sh')
    .then(res => res.text())
    .then(script => cp.execSync(script));

References

  • © GitHub, Inc.
  • Terms
  • Privacy