0.13.1 insecurely fetches data at build time

Question

0.13.1 insecurely fetches data at build time

mgorny opened this issue a year ago · 2 comments

The minify-html-common/build.rs script seems to fetch https://www.unpkg.com/@wzlin/html-data@2023013104.0.0/data.json from a third-party site. This is problematic because:

The file is fetched from a third-party site and there is no authenticity verification which means that if the file is hijacked, it could be used to inject vulnerabilities into the package.
Since the file is fetched unconditionally without caching, it is impossible to build the package in an offline environment (or otherwise on a server where unpkg.com is blocked by a firewall).

We're building packages in Gentoo in a network-restricted environment to protect users privacy, so this version cannot be built here at all.

Answer 1 · 2023-12-24T07:00:44.000Z

I've updated the code to avoid downloading the JSON on build (it's now stored in the repo), this will be released in version 0.13.3. Let me know if this works for you.

Answer 2 · 2023-12-24T07:03:10.000Z

Yes, thank you!