Skip to content

fix Failure to use HTTPS or SFTP URL in Maven artifact upload/download xen-api() #6429

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jun 3, 2025

Conversation

odaysec
Copy link
Contributor

@odaysec odaysec commented Apr 16, 2025

<repository>
<id>vcc-releases</id>
<name>VCC Release Repository</name>
<url>http://oss.sonatype.org/content/repositories/java-net-releases/</url>
</repository>

fix the problem, need to update the repository URLs in the distributionManagement section of the pom.xml file to use HTTPS instead of HTTP. This change will ensure that artifacts are downloaded and uploaded over a secure protocol, mitigating the risk of MITM attacks.

Specifically, we will:

  1. Change the URL for the repository element from http://oss.sonatype.org/content/repositories/java-net-releases/ to https://oss.sonatype.org/content/repositories/java-net-releases/.
  2. Change the URL for the snapshotRepository element from http://oss.sonatype.org/content/repositories/java-net-snapshots/ to https://oss.sonatype.org/content/repositories/java-net-snapshots/.

Using an insecure protocol like HTTP or FTP to download your dependencies leaves your Maven build vulnerable to a Man in the Middle (MITM). This can allow attackers to inject malicious code into the artifacts that you are resolving and infect build artifacts that are being produced. This can be used by attackers to perform a Supply chain attack against your project's users.

POC

These show of locations in Maven POM files where artifact repository upload/download is configured. The first shows the use of HTTP, the second shows the use of HTTPS.

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">

    <modelVersion>4.0.0</modelVersion>

    <groupId>com.semmle</groupId>
    <artifactId>parent</artifactId>
    <version>1.0</version>
    <packaging>pom</packaging>

    <name>Security Testing</name>
    <description>An vulnerable of insecure download and upload of dependencies</description>

    <distributionManagement>
        <repository>
            <id>insecure-releases</id>
            <name>Insecure Repository Releases</name>
            <!-- BAD! Use HTTPS -->
            <url>http://insecure-repository.example</url>
        </repository>
        <snapshotRepository>
            <id>insecure-snapshots</id>
            <name>Insecure Repository Snapshots</name>
            <!-- BAD! Use HTTPS -->
            <url>http://insecure-repository.example</url>
        </snapshotRepository>
    </distributionManagement>
    <repositories>
        <repository>
            <id>insecure</id>
            <name>Insecure Repository</name>
            <!-- BAD! Use HTTPS -->
            <url>http://insecure-repository.example</url>
        </repository>
    </repositories>
    <pluginRepositories>
        <pluginRepository>
            <id>insecure-plugins</id>
            <name>Insecure Repository Releases</name>
            <!-- BAD! Use HTTPS -->
            <url>http://insecure-repository.example</url>
        </pluginRepository>
    </pluginRepositories>
</project>
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">

    <modelVersion>4.0.0</modelVersion>

    <groupId>com.semmle</groupId>
    <artifactId>parent</artifactId>
    <version>1.0</version>
    <packaging>pom</packaging>

    <name>Security Testing</name>
    <description>An example of secure download and upload of dependencies</description>

    <distributionManagement>
        <repository>
            <id>insecure-releases</id>
            <name>Secure Repository Releases</name>
            <!-- GOOD! Use HTTPS -->
            <url>https://insecure-repository.example</url>
        </repository>
        <snapshotRepository>
            <id>insecure-snapshots</id>
            <name>Secure Repository Snapshots</name>
            <!-- GOOD! Use HTTPS -->
            <url>https://insecure-repository.example</url>
        </snapshotRepository>
    </distributionManagement>
    <repositories>
        <repository>
            <id>insecure</id>
            <name>Secure Repository</name>
            <!-- GOOD! Use HTTPS -->
            <url>https://insecure-repository.example</url>
        </repository>
    </repositories>
    <pluginRepositories>
        <pluginRepository>
            <id>insecure-plugins</id>
            <name>Secure Repository Releases</name>
            <!-- GOOD! Use HTTPS -->
            <url>https://insecure-repository.example</url>
        </pluginRepository>
    </pluginRepositories>
</project>

References

Want to take over the Java ecosystem? All you need is a MITM!
How to take over the computer of any Java (or Closure or Scala) Developer.
mveytsman/dilettante
Announcing nohttp
HTTP Decommission Artifact Server Announcements
CWE-300
CWE-319
CWE-494
CWE-829

Signed-off-by: Zeroday BYTE <[email protected]>
@robhoes robhoes requested a review from kc284 April 16, 2025 09:26
@kc284
Copy link
Contributor

kc284 commented Jun 3, 2025

These URLs are used for deployment, which we haven't done since CH8.1. Download is done by default from the maven central repository, or other repository the user has specified in their settings.

@psafont psafont added this pull request to the merge queue Jun 3, 2025
Merged via the queue into xapi-project:master with commit c3761f9 Jun 3, 2025
17 checks passed
@edwintorok
Copy link
Contributor

Discussed this in more detail with @kc284 that these URLs were effectively unused, the previous deployment wasn't done using this file, it was done manually.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants