Add TLS enforcement to download shell script in `atr/static/sh/download-urls.sh`

[andrewmusselman]

ASVS Requirements: V12.2.1, V12.2.2
CWE: CWE-295 (Improper Certificate Validation), CWE-319 (Cleartext Transmission of Sensitive Information)
Severity: MEDIUM
File: atr/static/sh/download-urls.sh (lines ~6–13)

Description

The download shell script has two issues:

1. No --proto '=https' flag to restrict curl to HTTPS-only connections, meaning HTTP URLs would be silently accepted.
2. The ${CURL_EXTRA:-} environment variable is directly interpolated into curl commands, allowing callers to inject --insecure or -k flags that disable TLS certificate verification.

Current code

curl ${CURL_EXTRA:-} -fsS "$_url_of_urls" | while IFS= read -r _url_and_path
do
  _url=${_url_and_path%% *}
  _path=${_url_and_path#* }
  curl ${CURL_EXTRA:-} --create-dirs -fsS "$_url" -o "$_path"
done

Recommended fix

Maybe add a comment for the audit to understand this

Suggestion from audit:
Replace CURL_EXTRA with specific validated options, and enforce HTTPS and TLS 1.2+:

_curl_secure() {
  curl --proto '=https' --tlsv1.2 -fsS "$@"
}

_curl_secure "$_url_of_urls" | while IFS= read -r _url_and_path
do
  _url=${_url_and_path%% *}
  _path=${_url_and_path#* }
  _curl_secure --create-dirs "$_url" -o "$_path"
done

If proxy support is needed, validate via specific environment variables (HTTPS_PROXY) rather than arbitrary flag injection.