Skip to content
This repository was archived by the owner on Jun 1, 2026. It is now read-only.

security: CWE-494: Download without integrity check — VC-53690#1

Open
SahilWikhe-sw wants to merge 1 commit into
Venafi:mainfrom
SahilWikhe-sw:VC-53690-logos-fix-c
Open

security: CWE-494: Download without integrity check — VC-53690#1
SahilWikhe-sw wants to merge 1 commit into
Venafi:mainfrom
SahilWikhe-sw:VC-53690-logos-fix-c

Conversation

@SahilWikhe-sw

Copy link
Copy Markdown

Summary

This PR addresses CWE-494 (Download of Code Without Integrity Check), CWE-345 (Insufficient Verification of Data Authenticity), and CWE-1269 (Product Released in Non-Release Configuration) by applying minimal transport hardening and removing a misleading security control.

Finding

CVSS: 8.9 (CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)

The action declared a verify input (lines 22-25) that promised cosign verification of downloaded archives, but this setting was never read anywhere in the composite action's runs: block. The download step (line 122) used curl -sL without:

  • Failure detection (--fail flag absent)
  • Integrity verification (no checksum or signature comparison)
  • Transport security enforcement (no --proto or TLS version constraints)

As a result, consumers who explicitly set verify: true believing they were enabling cryptographic verification received identical behavior to verify: false. A compromised or replaced release asset would be downloaded, extracted, made executable, and prepended to $GITHUB_PATH with no validation.

Remediation

Applied the minimal viable fix as recommended in the security assessment:

  1. Removed the dead verify input (CWE-1269)

    • Deleted lines 22-25 to eliminate the misleading security control
    • Consumers can no longer be misled into believing verification is enabled
  2. Hardened curl transport (partial CWE-494 mitigation)

    • Changed curl -sL to curl --fail --proto '=https' --tlsv1.2 -sSL
    • --fail: Enables proper HTTP error detection (4xx/5xx responses cause non-zero exit)
    • --proto '=https': Restricts to HTTPS protocol only
    • --tlsv1.2: Enforces minimum TLS 1.2

Note: Full CWE-494 closure via cosign signature verification or SHA256SUMS checking is deferred to maintainer discretion. This PR implements the transport layer hardening only.

Verification

  • The changes are minimal and focused on the identified vulnerabilities
  • No functional changes to the installation logic beyond error detection
  • Existing workflows using this action should continue to work unchanged (unless upstream release assets are unavailable or HTTP errors occur, which should fail loudly rather than silently)
  • Build/test: No conventional build or test suite detected in repository (GitHub Action YAML only)

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant