使用Maven有多安全? [英] How secure is using Maven?
问题描述
有人设置伪装maven存储库和/或ip流以提供伪装的原始库副本但注入了恶意或有害代码的风险和可能性或场景。
What are the risks and possibilities or scenarios whereby someone sets up masquerades of maven repositories and/or ip streams to provide masqueraded library copies of the original but injected with malicious or harmful code.
防止此类风险和可能性的步骤和做法是什么?
What are the steps and practices to prevent such risks and possibilities?
推荐答案
我认为这是一个专注且资源丰富的攻击者可以执行MITM攻击并拦截对公共Maven存储库的所有请求,小心地将恶意字节码注入JAR工件,然后重新计算并提供SHA1哈希值。
I suppose a dedicated and resourceful attacker could perform an MITM attack and intercept all requests to public Maven repositories, carefully injecting malicious bytecode into the JAR artifacts, then recalculating and supplying the SHA1 hashes.
对于客户端,它看起来像一个合法的工件:二进制JAR和SHA1匹配,即使它们检查备用镜像也是一样的。
To the client, it would appear as a legitimate artifact: the binary JAR and the SHA1 match and will be the same even if they check alternate mirrors.
我想唯一真正的解决方案是请求中央回购支持HTTPS(并且相信TLS本身没有被破坏)。
I suppose the only real solution is to request the central repos to support HTTPS (and trust that TLS itself hasn't been broken).
或者,实际的方法可能是o通过HTTPS向内部客户端设置Maven代理(Artifactory或Nexus)。这减少了攻击面,意味着您只需要保护从该服务器到外部世界的通信线路。我会定期仔细检查代理上的JAR和哈希是否与公共镜像上的JAR和哈希匹配使用完全独立,可信赖的网络。
Alternatively, a practical approach might be to set up a Maven proxy (Artifactory or Nexus) served over HTTPS to internal clients. This reduces the attack surface and means that you'll just have to secure the communication lines from that server to the outside world. I would periodically double check that the JARs and hashes on the proxy match those on the public mirrors using a totally independent, trusted network.
如果你真的,真的想成为确保您不会信任二进制文件 - 相反,您将在下载所有源代码并手动查看 ,然后再自行编译 - 但这假设您有足够的资格进行评估的资源和时间和信任整个构建工具链。
If you really, really want to be secure you wouldn't be trusting binaries—instead, you'd be downloading all source code and reviewing them by hand before compiling them yourself—but that assumes you have enough qualified resources and time to conduct the reviews and trust your entire build tool chain to begin with.
好吧,他们总是说层中的安全性。
Well, security in layers as they always say.
这篇关于使用Maven有多安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
