Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ipfs desktop is connecting to npm registry and github on upgrade #1189

Closed
sneak opened this issue Oct 10, 2019 · 23 comments
Closed

ipfs desktop is connecting to npm registry and github on upgrade #1189

sneak opened this issue Oct 10, 2019 · 23 comments
Labels
need/triage Needs initial labeling and prioritization

Comments

@sneak
Copy link

sneak commented Oct 10, 2019

Automatic upgrades are a type of RCE on my machine. Please at least package and sign the appropriate resources into an update bundle instead of having my machine download unauthenticated code from third parties.

@sneak
Copy link
Author

sneak commented Oct 10, 2019

Screen Shot 2019-10-10 at 12 47 37

@sneak
Copy link
Author

sneak commented Oct 10, 2019

Screen Shot 2019-10-10 at 12 53 42

it's cool just download and exec binaries from amazon on my machine, that is just what i consented to when i clicked upgrade in the notification

@sneak
Copy link
Author

sneak commented Oct 10, 2019

Screen Shot 2019-10-10 at 12 56 03

downloading via https from microsoft as well

@hacdias
Copy link
Member

hacdias commented Oct 11, 2019

Hello @sneak! I don't know anything about those dialogs nor why they show up on your system.

IPFS Desktop, to update, checks Github Releases to see if there is a new release available. If so, check latest.yml to get the hash. Then, downloads the binary (which usually is stored on Amazon through GitHub) and then installs. All the binaries are signed for Windows and macOS.

We don't download code. We download the installer.

downloading via https from microsoft as well

I don't see microsoft in any of your screenshots, nor can I see a reason on why we'd be contacting Microsoft. github.com and amazonws.com are correct.

@sneak
Copy link
Author

sneak commented Oct 11, 2019

Microsoft owns and operates github.com. It downloads from github via both git and https, and downloads node binaries from s3. Do you need more information to reproduce?

@sneak
Copy link
Author

sneak commented Oct 11, 2019

Is the installer a javascript app that perhaps downloads an embedded node binary?

@hacdias
Copy link
Member

hacdias commented Oct 11, 2019

Microsoft owns and operates github.com

Ah, yes.


IPFS Desktop is an Electron app. Electron comes with Node.js, yes. That is true.


I still haven't understood what the problem is here though... is it the warnings you are receiving? Which OS are you using?

@sneak
Copy link
Author

sneak commented Oct 11, 2019

The problem is that I am giving ipfs trust via RCE on my machine for auto update, and it is abusing that trust by downloading all sorts of third party code and running it during the update process. I expected that it would download a single new app bundle or binary, signed by the ipfs developers. Instead, it downloaded node binaries from s3, code from github via both git and https. Assuming I trust the ipfs developers but don’t trust github or s3, I now have no way of knowing if my machine has been compromised or not.

@sneak
Copy link
Author

sneak commented Oct 11, 2019

“Electron comes with node” does not suggest why ipfs desktop, on update, would be downloading prebuilt node binaries from S3. Is it checking the hashes or signatures on those? If so, where are those hashes or public keys coming from? Another file in S3?

I am okay with giving RCE on my machine to the ipfs developers via a click-to-update mechanism. I am not okay with giving RCE on my machine to anyone who holds a valid TLS certificate for github.com or amazonaws.com. Do you see the difference?

@hacdias
Copy link
Member

hacdias commented Oct 11, 2019

@sneak the mechanism gets the new version info from GitHub (not code) and downloads the binaries from GitHub. GitHub stores their binaries from releases on Amazon. It checks the hashes, yes. See here for example: https://github.com/ipfs-shipyard/ipfs-desktop/releases/download/v0.9.5/latest.yml

Only macOS and Windows binaries are signed though.

@sneak
Copy link
Author

sneak commented Oct 11, 2019

Why is it connecting to the npm registry as well?

@sneak
Copy link
Author

sneak commented Oct 11, 2019

GitHub doesn’t store their releases in the node-binaries s3 bucket.

@sneak
Copy link
Author

sneak commented Oct 27, 2019

Screen Shot 2019-10-26 at 20 45 17

Screen Shot 2019-10-26 at 20 45 33

Screen Shot 2019-10-26 at 20 46 02

I'm curious as to why this application is downloading new code from the internet to run on my machine outside of its defined autoupdate process.

@hacdias
Copy link
Member

hacdias commented Oct 27, 2019

As I've asked you before, could you let me know which OS are you running? That would be better to evaluate what's happening. I have multiple ideas on my mind, but not all of them apply to all OSes...

@sneak
Copy link
Author

sneak commented Oct 27, 2019

macOS

@lidel
Copy link
Member

lidel commented Oct 30, 2019

Thank you for reporting this @sneak. Shared similar concern in #668 (comment) and #789 and those RCE warnings are good example why this is a real issue.

I believe next steps here are:

@sneak
Copy link
Author

sneak commented Oct 30, 2019

It doesn’t need to be self-hosted, it doesn’t need to be content addressed, the app just needs to be self-contained and not do a whole npm build process when updating - download one new zip, verify checksum, replace itself.

This isn’t some big project.

@sneak
Copy link
Author

sneak commented Oct 30, 2019

The connections look like what you would get if you were doing a build of a javascript application. It’s downloading node binaries, pulling things via git and from the npm registry, et c.

@hacdias
Copy link
Member

hacdias commented Oct 30, 2019

@sneak just out of curiosity: do you have any other Electron-based apps installed? None of them triggers RCE?

@hacdias
Copy link
Member

hacdias commented Oct 30, 2019

If you are running a version before v0.9.6 and you have Node.js installed, then there is a bug where we automatically try to install npm-ipfs which might be the cause for the git calls and even the node process! Please let me know if that's the case. If it is, please update to see if it happens again.

About github.com and amazonws.com (that are not node binaries), it's the auto-update mechanism.

@RGFTheCoder
Copy link

RGFTheCoder commented Nov 17, 2019

@sneak what program creates those popups? It seems to be useful and I would like to use it.

@sneak
Copy link
Author

sneak commented Nov 18, 2019

The program is called Little Snitch, @RGFTheCoder.

@lidel lidel mentioned this issue Feb 17, 2020
@lidel lidel added the need/triage Needs initial labeling and prioritization label Jul 6, 2021
@lidel
Copy link
Member

lidel commented Oct 4, 2021

Quick update on this:

I'm closing this as we are tracking moving away from GitHub Releases in #789

If you feel there should be an opt-out from automatic updates that ping GitHub releases on macOS, please fill a new issue (this issue got out of date because we solved most of the concerns).

@lidel lidel closed this as completed Oct 4, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
need/triage Needs initial labeling and prioritization
Projects
None yet
Development

No branches or pull requests

4 participants