ipfs desktop is connecting to npm registry and github on upgrade

[sneak]

Automatic upgrades are a type of RCE on my machine. Please at least package and sign the appropriate resources into an update bundle instead of having my machine download unauthenticated code from third parties.

[sneak]

[sneak]

it's cool just download and exec binaries from amazon on my machine, that is just what i consented to when i clicked upgrade in the notification

[sneak]

downloading via https from microsoft as well

[hacdias]

Hello @sneak! I don't know anything about those dialogs nor why they show up on your system.

IPFS Desktop, to update, checks Github Releases to see if there is a new release available. If so, check latest.yml to get the hash. Then, downloads the binary (which usually is stored on Amazon through GitHub) and then installs. All the binaries are signed for Windows and macOS.

We don't download code. We download the installer.

downloading via https from microsoft as well

I don't see microsoft in any of your screenshots, nor can I see a reason on why we'd be contacting Microsoft. github.com and amazonws.com are correct.

[sneak]

Microsoft owns and operates github.com. It downloads from github via both git and https, and downloads node binaries from s3. Do you need more information to reproduce?

[sneak]

Is the installer a javascript app that perhaps downloads an embedded node binary?

[hacdias]

Microsoft owns and operates github.com

Ah, yes.

---

IPFS Desktop is an Electron app. Electron comes with Node.js, yes. That is true.

---

I still haven't understood what the problem is here though... is it the warnings you are receiving? Which OS are you using?

[sneak]

The problem is that I am giving ipfs trust via RCE on my machine for auto update, and it is abusing that trust by downloading all sorts of third party code and running it during the update process. I expected that it would download a single new app bundle or binary, signed by the ipfs developers. Instead, it downloaded node binaries from s3, code from github via both git and https. Assuming I trust the ipfs developers but don’t trust github or s3, I now have no way of knowing if my machine has been compromised or not.

[sneak]

“Electron comes with node” does not suggest why ipfs desktop, on update, would be downloading prebuilt node binaries from S3. Is it checking the hashes or signatures on those? If so, where are those hashes or public keys coming from? Another file in S3?

I am okay with giving RCE on my machine to the ipfs developers via a click-to-update mechanism. I am not okay with giving RCE on my machine to anyone who holds a valid TLS certificate for github.com or amazonaws.com. Do you see the difference?

[hacdias]

@sneak the mechanism gets the new version info from GitHub (not code) and downloads the binaries from GitHub. GitHub stores their binaries from releases on Amazon. It checks the hashes, yes. See here for example: https://github.com/ipfs-shipyard/ipfs-desktop/releases/download/v0.9.5/latest.yml

Only macOS and Windows binaries are signed though.

[sneak]

Why is it connecting to the npm registry as well?

[sneak]

GitHub doesn’t store their releases in the node-binaries s3 bucket.

[sneak]

I'm curious as to why this application is downloading new code from the internet to run on my machine outside of its defined autoupdate process.

[hacdias]

As I've asked you before, could you let me know which OS are you running? That would be better to evaluate what's happening. I have multiple ideas on my mind, but not all of them apply to all OSes...

[sneak]

macOS

[lidel]

Thank you for reporting this @sneak. Shared similar concern in #668 (comment) and #789 and those RCE warnings are good example why this is a real issue.

I believe next steps here are:

• look into moving away from github.com as distribution platform to a self-hosted solution under *.ipfs.io
  • remove github, microsoft and amazon from the picture
  • add content-addressed verification of downloaded binaries to ensure TLS MITMs fail
  • tracked in Hardening Updates with Content-Addressing and IPNS #789 (comment)
• investigate why node is pinging nodejs.org and disable that behavior
  • we can track it this issue

[sneak]

It doesn’t need to be self-hosted, it doesn’t need to be content addressed, the app just needs to be self-contained and not do a whole npm build process when updating - download one new zip, verify checksum, replace itself.

This isn’t some big project.

[sneak]

The connections look like what you would get if you were doing a build of a javascript application. It’s downloading node binaries, pulling things via git and from the npm registry, et c.

[hacdias]

@sneak just out of curiosity: do you have any other Electron-based apps installed? None of them triggers RCE?

[hacdias]

If you are running a version before v0.9.6 and you have Node.js installed, then there is a bug where we automatically try to install npm-ipfs which might be the cause for the git calls and even the node process! Please let me know if that's the case. If it is, please update to see if it happens again.

About github.com and amazonws.com (that are not node binaries), it's the auto-update mechanism.

[RGFTheCoder]

@sneak what program creates those popups? It seems to be useful and I would like to use it.

[sneak]

The program is called Little Snitch, @RGFTheCoder.

[lidel]

Quick update on this:

• We've removed the npm-on-ipfs experiment in May (npm-on-ipfs experiment feedback #957 (comment)) and existing users can turn it off via menu option. NPM servers are no longer being queried.

• We are signing and notarizing macOS binaries – if you trust Apple, you most likely also trust their "notarization" process.

• Autoupdate mechanism on macOS probes https://github.com/ipfs/ipfs-desktop/releases/latest/download/latest-mac.yml to detect when there is an update to fetch.

I'm closing this as we are tracking moving away from GitHub Releases in #789

If you feel there should be an opt-out from automatic updates that ping GitHub releases on macOS, please fill a new issue (this issue got out of date because we solved most of the concerns).