Maven:pom 中定义的存储库和pluginRepositories 存在安全问题?
想象一下当前的情况:
您是一名开发人员,想要参与一个新的(开源)项目。该项目可以通过不同的方式构建 - 其中之一是 Maven。
如果您现在下载源代码存储库并开始构建过程,根据我的理解,您的系统将面临多种安全风险:
默认的 Maven [插件-]存储库是通过 http 访问的 - 通过中间人攻击者可能会向您发送经过操纵的包。如果插件存储库被拦截,这可能会导致注入代码作为构建过程的一部分执行
在文件 pom.xml 中,您可以添加第 3 方存储库和插件存储库。如果攻击者设法将自己的插件存储库添加到项目 pom.xml(例如开源项目)中,则其他项目可能会受到这些插件的攻击。对于第 3 方存储库,我不确定 - 项目 pom.xml 中定义的存储库是否可以覆盖在用户或系统级别定义的存储库?
从我的角度来看,这是严重的安全问题 - 还是有错误的描述?
如果我有一个基于 Maven 的项目 - 如何确保运行 Maven 是安全的?是否有值得信赖的存储库列表(仅包含不会损害其执行计算机的代码)?
Imagine the current situation:
You are an developer and want to participate in a new (open source) project. The project can be build via different ways - one of them is Maven.
If you now download the source code repository and start the build process your system is exposed to multiple security risks from my understanding:
The default Maven [plugin-]repositories are accessed via http - via an Man-in-the-Middle attack someone could could send you manipulated packages. In case of an intercepted plugin-repository this could lead to injected code executed as part of the build process
In the file pom.xml you can add 3rd party repositories and plugin-repositories. If an attacker manages to add his own plugin-repository to a project pom.xml (e.g. of an open source project) and other can be attacked by those plugins. In case of the 3rd party repositories I am not sure - can a repository defined in a project pom.xml override repositories defined at user or system level?
From my point of view this are severe security problems - or is there a mistake description?
If I have a Maven based project - how can I make sure that it is safe to run Maven? Is there a list of repositories that are trustworthy (contain only code that does not harm the computer it is executed on)?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
乍一看你的论点是正确的。但有一些问题需要注意,或者对于潜在的攻击者来说,这些问题并不容易解决。
大多数情况下使用的存储库是 Maven Central,它由 Sonatype 控制(据我所知)。这意味着可以访问这些机器并修改存储库本身的内容,或者只是注入一些基于校验和的内容可能并不那么简单,但当然这并不是不可能的。此外,如果您从互联网下载工件,则您有一个最新的病毒扫描程序处于活动状态,它可以在将其放入您的硬盘驱动器之前首先控制一切。这当然不是100%安全。
进入第二部分:如果您使用的项目在 pom 内定义存储库,这不是“最佳实践”...好吧...让我们假设这一点。所以你将使用这个“被感染”的项目pom。但如何将其投入到项目中呢?这意味着攻击者必须具有对该项目的提交访问权限,换句话说,他已经共享该项目很长时间了。此外,该项目的其他人会审查提交......所以这不会那么简单,但当然也不是不可能。
根据我之前写的内容,有人如何保证存储库仅包含“安全”工件?谁应该控制/检查?将工件放入该存储库需要多长时间?
所以简单的答案是:不,使用 Maven 并不是 100% 安全,但如果我们稍微考虑一下,互联网也不是 100% 安全。在我看来,通过互联网的风险比来自 Maven 存储库的风险要高得多,但我们当然应该忽略这一点。
唯一可能的解决方案是使用存储库管理器,它是下载工件的唯一来源,这意味着将 settings.xml 配置为仅使用它。非常重要的是,您控制放入该存储库的每个工件并对它们进行一些“安全”检查。但谁会做这件事,谁有时间/金钱/资源来做这些事情?
At the first glance your arguments are correct. But there there are some issues to be aware of or which are not the simple to solve for an potential attacker.
The repository which is used in the majority of cases is Maven Central which is under control of Sonatype (as far as i know). This means to have access to those machines and modify the contents of the repository itself or just inject some content which might be not that simple based on the checksums, but of course it does not make it impossible. Furthermore if you are downloading artifacts from the internet you have an up-to-date virus-scanner active which controls everything first before it will be put on your hard-drive. This is of course not 100% safe.
Coming to the second part: If you are using a project which defines repositories inside the pom this not "Best practice"...Ok...let us assume this. So you will use this "infected" project pom. But how has it be put into the project? This means the attacker must have commit access to the project which means in other words he has been shared the project for a long time. Furthermore other people of the project would have reviewed the commit...so this wouldn't be that simple but of course not impossible.
Based on the things i wrote before how could someone give the guaranty that a repository contains only "safe" artifacts? Who should control/check that? And how long would it take to get an artifact into that repository?
So the simple answer is: No it's not 100% safe to use Maven but if we think a little bit about that the internet is not 100% safe as well. In my opinion the risk via the internet is much higher than from a Maven repository, but of course we should ignore this.
The only possible solution for this is to use a Repository Manager which is the only source from where artifacts will be downloaded which means to configure the settings.xml to use only this. And very important that you control every artifact which is put into that repository and do some "security" checks on them. But who will do this and who has the time/money/resources for such things?