How secure is using Maven?
What are the risks and possibilities or scenarios whereby someone sets up masquerades of maven repositories and/or ip streams to provide masqueraded library copies of the origin
-
I can think of several scenarios, though the first isn't Maven-specific.
DNS cache poisoning
The DNS data you use to get to the standard repositories could be poisoned, causing Maven to download artifacts from a different repository. See the wikipedia article on DNS cache poisoning.
Non-standard repositories
Any repository you add to your Maven configuration could provide artifacts that include malicious code. Prevent this by using only those 3rd party repositories that you trust.
Repository poisoning
Based on Maven's Guide to uploading artifacts to the Central Repository, it looks like the central Maven repository publishes artifacts from approved repository hosts, so security of artifacts depends on the host. I don't know specifics about the process of becoming an approved repository host, but with so few listed it's probably onerous.
In addition, the central repo requires PGP signatures for all deployments, so unless a malicious user gains access to the private key for a project, I don't think this is possible.
Artifact modification during transmission (man in the middle)
Maven does automatic checksum verification for all artifacts, so the attacker would have to modify the artifact and the accompanying checksums to inject malicious code. I don't know if you could prevent it completely, but to make sure you're paying attention to checksums, make sure your checksum policy isn't set to ignore. See the settings doc.
As other commenters have mentioned, a good way to prevent malicious code from getting into your production deployment is to only use an internal Maven repository for production release builds. By restricting access to the addition of dependencies to that repository, you can make sure that they are all verified at whatever level you choose, e.g. checksum double-checking, source scanning.
加载中...
- 热议问题