-
Notifications
You must be signed in to change notification settings - Fork 864
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ipfs desktop is connecting to npm registry and github on upgrade #1189
Comments
Hello @sneak! I don't know anything about those dialogs nor why they show up on your system. IPFS Desktop, to update, checks Github Releases to see if there is a new release available. If so, check We don't download code. We download the installer.
I don't see microsoft in any of your screenshots, nor can I see a reason on why we'd be contacting Microsoft. |
Microsoft owns and operates github.com. It downloads from github via both git and https, and downloads node binaries from s3. Do you need more information to reproduce? |
Is the installer a javascript app that perhaps downloads an embedded node binary? |
Ah, yes. IPFS Desktop is an Electron app. Electron comes with Node.js, yes. That is true. I still haven't understood what the problem is here though... is it the warnings you are receiving? Which OS are you using? |
The problem is that I am giving ipfs trust via RCE on my machine for auto update, and it is abusing that trust by downloading all sorts of third party code and running it during the update process. I expected that it would download a single new app bundle or binary, signed by the ipfs developers. Instead, it downloaded node binaries from s3, code from github via both git and https. Assuming I trust the ipfs developers but don’t trust github or s3, I now have no way of knowing if my machine has been compromised or not. |
“Electron comes with node” does not suggest why ipfs desktop, on update, would be downloading prebuilt node binaries from S3. Is it checking the hashes or signatures on those? If so, where are those hashes or public keys coming from? Another file in S3? I am okay with giving RCE on my machine to the ipfs developers via a click-to-update mechanism. I am not okay with giving RCE on my machine to anyone who holds a valid TLS certificate for github.com or amazonaws.com. Do you see the difference? |
@sneak the mechanism gets the new version info from GitHub (not code) and downloads the binaries from GitHub. GitHub stores their binaries from releases on Amazon. It checks the hashes, yes. See here for example: https://github.com/ipfs-shipyard/ipfs-desktop/releases/download/v0.9.5/latest.yml Only macOS and Windows binaries are signed though. |
Why is it connecting to the npm registry as well? |
GitHub doesn’t store their releases in the |
As I've asked you before, could you let me know which OS are you running? That would be better to evaluate what's happening. I have multiple ideas on my mind, but not all of them apply to all OSes... |
macOS |
Thank you for reporting this @sneak. Shared similar concern in #668 (comment) and #789 and those RCE warnings are good example why this is a real issue. I believe next steps here are:
|
It doesn’t need to be self-hosted, it doesn’t need to be content addressed, the app just needs to be self-contained and not do a whole npm build process when updating - download one new zip, verify checksum, replace itself. This isn’t some big project. |
The connections look like what you would get if you were doing a build of a javascript application. It’s downloading node binaries, pulling things via git and from the npm registry, et c. |
@sneak just out of curiosity: do you have any other Electron-based apps installed? None of them triggers RCE? |
If you are running a version before v0.9.6 and you have Node.js installed, then there is a bug where we automatically try to install About |
@sneak what program creates those popups? It seems to be useful and I would like to use it. |
The program is called Little Snitch, @RGFTheCoder. |
Quick update on this:
I'm closing this as we are tracking moving away from GitHub Releases in #789 If you feel there should be an opt-out from automatic updates that ping GitHub releases on macOS, please fill a new issue (this issue got out of date because we solved most of the concerns). |
Automatic upgrades are a type of RCE on my machine. Please at least package and sign the appropriate resources into an update bundle instead of having my machine download unauthenticated code from third parties.
The text was updated successfully, but these errors were encountered: