usertesting / biscuit Goto Github PK

Hey,

My name is Maciej Mensfeld and I run a research security project called WhiteSource Diffend.io.

I've noticed, that this library downloads some external resources and uses them. While it's a totally common pattern, what is lacking here is integrity verification.

You could verify the integrity of the downloaded file before using it by comparing the file hash to a hardcoded, expected file hash.

This is essentially what package managers do to verify the integrity of downloaded packages.

Doing this would prevent attack scenarios in which biscuit is manipulated.

Have a great day :)

ref: https://my.diffend.io/gems/biscuit/0.0.1/page/1#d2h-485802

Newer projects use Rake 12.0, and biscuit has it specified as ~> 10.0, which makes it incompatible.

The change

64c3543 switch from YAML parsing to splitting on newlines then chopping up based on :...

But...

The biscuit binary supports multilines...

For example

$ touch somefile
$ echo "foo\nbar" >> somefile
$ biscuit put -f secret_file.yml FOO -i somefile
$ biscuit export -f secret_file.yml | grep FOO -A2
FOO: |
  foo
  bar

And for our use case...

• We have some keys that need multilines.. my attempts to encode it in biscuit with the newlines removed, then replace them after loading is a bit too clunky. Think we'd better keep support for multiline values

How should we fix?

• Revert most of #4 (but keeping the specs for non values)
• Some hybrid of YAML loading the keys and manually parsing the values
• Regex golf on |\n ?