vshymanskyy/ViperIDE

CDN assets open for attack

esprehn opened this issue · 2 comments

esprehn commented

Describe the bug
Viper pulls in a bunch of scripts from various CDNs but doesn't specify an SRI hash for the files. This leaves it open to attacks where the CDN is compromised like the recent one:

https://sansec.io/research/polyfill-supply-chain-attack

Setup

  • n/a

To Reproduce
n/a

Expected behavior
SRI attributes set on all non directly hosted scripts:

https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity

All scripts in this file that are not directly hosted like app.js need the integrity attribute:

ViperIDE/src/ViperIDE.html

Line 186 in c89f7da

<div id="dpi-ruler" style="position:absolute;height:1in;width:1in;left:-100%;top:-100%;"></div>

Alternatively all scripts could be hosted directly by viper instead. You can download them from the CDN to serve directly.

Actual Screenshots / Logs
n/a

Additional context

Viper is super cool! But without SRI attributes set or directly hosting all the scripts, it's open to the same attacks as what recently happened to polyfill io.

vshymanskyy commented

Basically, ViperIDE now uses the normal rollup.js based workflow.
This was required to migrate to CodeMirror 6.
Several packages are still imported from a CDN but i'll get rid of them altogether soon.

vshymanskyy commented

Some CDNs are eliminated, SRI added to others