Introduce user-defined wrapdb mirror #13953
Conversation
klokik
force-pushed
the
wrapdb-mirror
branch
from
c704280
to
1182455
Compare
This consolidates all queries to the wrapdb to go through the open_wrapdburl() function. The function handles a domain-specific url scheme wrapdb. When encountered, it substitutes the scheme with https and an authority(netloc) with either upstream wrapdb address or a user-defined one from the MESON_WRAPDB_MIRROR environment variable.
klokik
force-pushed
the
wrapdb-mirror
branch
from
1182455
to
840f286
Compare
This has the potential to be a really nasty way of hijacking user queries for malware injection. Not to mention all the other ways in which environment variables are terrible for storing persistent configuration. |
|
@jpakkane you mean adding more malware, once attacker already gained control over the users shell environment? Or getting the first handful of malware by user getting source code from the untrustworthy mirror? I'd be glad to hear for alternative more secure options. Providing the mirror address as a Getting code from untrusted sources IMO is a user problem. I honestly don't expect anyone to use random third party mirror found on the search engine. |
|
Ok, I can see this being abused on a build machine, as a stepping ladder of a more complex attack.What's worse - it will affect users that are not aware of this variable. |
klokik
force-pushed
the
wrapdb-mirror
branch
3 times, most recently
from
8e6b1d6
to
babf222
Compare
Environment variables are prone to shell injection attacks, especially on build servers that many people may have access to. Changing address in a file requires an explicit command that is supposedly under the control of a trusted developer.
klokik
force-pushed
the
wrapdb-mirror
branch
from
babf222
to
51a23d2
Compare
|
@jpakkane, I changed it to use an explicit user-provided address, unaffected by environment variables, limited to a single workspace. It looks tempting to store the address inside |
This consolidates all queries to the wrapdb to go through the
open_wrapdburl()function. The function handles a domain-specific URL scheme,wrapdb. When encountered, it substitutes the scheme withhttpsand an authority(net loc) with either the upstream wrapdb address or a user-defined one stored in thesubprojects/wrap-mirrors.jsonfile.The user should use
meson wrap set-db-address <mirror-address>command to create the file. It looks a bit more secure to me than using an environment variable.Justification: