Lack of integrity verification of downloaded external dependencies

[mensfeld]

Hey,

My name is Maciej Mensfeld and I run a research security project called WhiteSource https://diffend.io.

We've noticed, that this library downloads some external resources and uses them. While it's a totally common pattern, what is lacking here is integrity verification.

You could verify the integrity of the downloaded file before using it by comparing the file hash to a hardcoded, expected file hash.

This is essentially what package managers do to verify the integrity of downloaded packages.

Doing this would prevent attack scenarios in which dl.pyroscope.io data is manipulated affecting the supply chain.

Also, in general, it is rather recommended to embed this type of data in the releases rather than download them from external sources. There are use-cases where bundler cache is being used and build of dependencies (installment) happens offline. In scenarios like this, this library won't work (note building != running)

ref https://github.com/pyroscope-io/pyroscope-ruby/blob/main/ext/pyroscope/extconf.rb#L22

Have a great day :)

[petethepig]

Hi @mensfeld

Thanks for all your comments here, there are all very good points. We'll definitely add integrity verification. RE embedding the data... I agree that would be ideal, but it's quite a bit of data, especially if we download it for multiple architectures, so we'd rather load it lazily via http calls.

In the future we'll try to lower the size of this extra data so that we can embed it, I agree that that would be ideal.