This repository was archived by the owner on Jun 6, 2025. It is now read-only.
This repository was archived by the owner on Jun 6, 2025. It is now read-only.
Lack of integrity verification of downloaded external dependencies #14
Description
Hey,
My name is Maciej Mensfeld and I run a research security project called WhiteSource Diffend.io.
I've noticed, that this library downloads some external resources and uses them. While it's a totally common pattern, what is lacking here is integrity verification.
You could verify the integrity of the downloaded file before using it by comparing the file hash to a hardcoded, expected file hash.
This is essentially what package managers do to verify the integrity of downloaded packages.
Doing this would prevent attack scenarios in which biscuit is manipulated.
Have a great day :)
ref: https://my.diffend.io/gems/biscuit/0.0.1/page/1#d2h-485802