You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Jun 6, 2025. It is now read-only.
My name is Maciej Mensfeld and I run a research security project called WhiteSource Diffend.io.
I've noticed, that this library downloads some external resources and uses them. While it's a totally common pattern, what is lacking here is integrity verification.
You could verify the integrity of the downloaded file before using it by comparing the file hash to a hardcoded, expected file hash.
This is essentially what package managers do to verify the integrity of downloaded packages.
Doing this would prevent attack scenarios in which biscuit is manipulated.
Hey,
My name is Maciej Mensfeld and I run a research security project called WhiteSource Diffend.io.
I've noticed, that this library downloads some external resources and uses them. While it's a totally common pattern, what is lacking here is integrity verification.
You could verify the integrity of the downloaded file before using it by comparing the file hash to a hardcoded, expected file hash.
This is essentially what package managers do to verify the integrity of downloaded packages.
Doing this would prevent attack scenarios in which
biscuitis manipulated.Have a great day :)
ref: https://my.diffend.io/gems/biscuit/0.0.1/page/1#d2h-485802