Paragon Initiative Enterprises: Using plain git protocol (vulnerable to MITM)

2016-11-09T23:34:30
ID H1:181214
Type hackerone
Reporter e3amn2l
Modified 2016-11-09T23:47:38

Description

Using plain git protocol (git://domain) is insecure as the server is not verified (MITM attacker can return different content if last commit not checked against known one) more information about this issue (Protocols to choose from when cloning): https://gist.github.com/grawity/4392747 vcs-field-uses-insecure-uri check details: https://lintian.debian.org/tags/vcs-field-uses-insecure-uri.html

in: https://github.com/paragonie/airship/blob/master/.travis.yml#L12 - git clone git://github.com/jedisct1/libsodium.git

fix: 1. use https protocol instead of git. (https:// vs git://) 2. implement verification of last commit/tag if possible (known commit/tag is fetched instead of master), more details about possible implementations in report: "Missing GIT tag/commit verification in Docker" https://hackerone.com/reports/181212