Check downloaded resources integrity
alexec opened this issue · 0 comments
alexec commented
When you pull a resource down, you should check the resources hash against a known good value, in case the third-party is compromised and an attacker replaces the resource (Javascript) with something bad.
Basically this:
https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
<script src="https://example.com/example-framework.js"
integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
crossorigin="anonymous"></script>
Could be done like this:
apiVersion: argoproj.io/v1alpha1
kind: ArgoCDExtension
metadata:
name: hello-world
finalizers:
- extensions-finalizer.argocd.argoproj.io
spec:
sources:
- git:
url: https://github.com/argoproj-labs/argocd-example-extension.git
- web:
url: https://github.com/argoproj-labs/argocd-example-extension/releases/download/v0.1.0/extension.tar
integrity: sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC