Unvalidated download of the stack binary (and probably others).

[mbj]

While browsing this actions source code I stumbled over the fact that the downloads are unvalidated.

https://github.com/haskell/actions/blob/main/setup/src/installer.ts#L208-L209

Yes, its unlikely that someone controls github DNS + can fake an SSL cert to smuggle a bad binary into a github action: Its still possible. And as this action is quite popular I wanted to raise the issue here.

Its likely other downloads are also unvaldiated. If I had the time resources I'd PR a change that would allow us to register expected sha256 of the various things this action could download, possibly even the GPG keys so we do not have to constantly churn hash updates. Given I do not have the time I opened this issue to potentially trigger someone else energy ;)

Anyhow for the moment to put my mind at ease I switched away from this action and simply do this in my builds:

set -e
curl --location --output stack https://github.com/commercialhaskell/stack/releases/download/v2.9.1/stack-2.9.1-linux-x86_64-bin
echo 'dc4c60b2f018aadb2ebd40d81e5d10aada881d804a69911eea2da67906fc058c  stack' | sha256sum -c
chmod +x ./stack

Does not get me implicit stack updates in any way but at least puts my paranoid mind at ease.

[andreasabel]

@mbj Thanks for reporting!

main/setup/src/installer.ts#L208-L209

Please use permalinks in issue reports; as you can see, your link is already shifted.

[mbj]

Please use permalinks in issue reports; as you can see, your link is already shifted.

sorry, oversight on my side.

[andreasabel]

So, was it this you meant?

actions/setup/src/installer.ts

Lines 222 to 223 in 93635e8

	const url = `https://github.com/commercialhaskell/stack/releases/download/v${version}/stack-${version}-${build}.tar.gz`;
	const p = await tc.downloadTool(`${url}`).then(tc.extractTar);

The hashes could live in this file:

actions/setup/src/versions.json

Lines 48 to 55 in 93635e8

	"stack": [
	"2.9.3",
	"2.9.1",
	"2.7.5",
	"2.7.3",
	"2.7.1",
	"2.5.1",
	"2.3.3",

But this file only states which versions the action knows of. You can still instruct it to download a stack version not in the list, by giving the full stack version number. This feature should be preserved. So, say the action would know certain stack versions with their tar hashes, it could verify the tars if it has a hash and skip the step with a warning if it doesn't.

[mbj]

Yeah, so overall there is no validation of the content of the stack binary being done. Which is standard practice for any download in the space. Stack by itself validates the GHC download hash for example before installing a GHC.

For the feature of "use your own stack version" I recommend to also allow but not require people to specify the hash of unknown versions.