The usage of HTTPS is not enforced here. As it is possible for the HTTP client to follow redirects, such redirects might lead to websites using HTTP. As HTTP is a clear-text protocol, it is considered insecure. Due to its lack of encryption, attackers that are able to sniff traffic from the network can read, modify, or corrupt the transported content. Therefore, allowing redirects to HTTP can lead to several risks: * Exposure of sensitive data * Malware-infected software updates or installers * Corruption of critical information Even in isolated networks, such as segmented cloud or offline environments, it is important to ensure the usage of HTTPS. If not, then insider threats with access to these environments might still be able to monitor or tamper with communications. == Ask Yourself Whether * It is possible for the requested resource to be redirected to an insecure location in the future. There is a risk if you answered yes to the question. == Recommended Secure Coding Practices * Ensure that the HTTP client only accepts HTTPS pages. In `curl` this can be enabled using the option `--proto "=https"`. * If it is not necessary to follow HTTP redirects, disable this in the HTTP client. In `curl` this is done by omitting the `-L` or `--location` option. In `wget` this is done by adding the option `--max-redirect=0`. == Sensitive Code Example In the examples below, an install script is downloaded using `curl` or `wget` and then executed. While connections made using HTTPS are generally considered secure, `\https://might-redirect.example.com/install.sh` might redirect to a location that uses HTTP. Downloads made using HTTP are not secure and can be intercepted and modified. An attacker could modify the install script to run malicious code inside the container. `curl` will not follow redirects unless either `-L` or `--location` option is used. [source,docker,diff-id=1,diff-type=noncompliant] ---- FROM ubuntu:22.04 # Sensitive RUN curl --tlsv1.2 -sSf -L https://might-redirect.example.com/install.sh | sh ---- `wget` will follow redirects by default. [source,docker,diff-id=2,diff-type=noncompliant] ---- FROM ubuntu:22.04 # Sensitive RUN wget --secure-protocol=TLSv1_2 -q -O - https://might-redirect.example.com/install.sh | sh ---- == Compliant Solution If you expect the server to redirect the download to a new location, `curl` can use the option `--proto "=https"` to ensure requests are only made using HTTPS. Any attempt to redirect to a location using HTTP will result in an error. [source,docker,diff-id=1,diff-type=compliant] ---- FROM ubuntu:22.04 RUN curl --proto "=https" --tlsv1.2 -sSf -L https://might-redirect.example.com/install.sh | sh ---- `wget` does not support this functionality so `curl` should be used instead. If you expect the server to return the file without redirects, `curl` should not be instructed to follow redirects. Remove any `-L` or `--location` options from the command. [source,docker] ---- FROM ubuntu:22.04 RUN curl --tlsv1.2 -sSf https://might-redirect.example.com/install.sh | sh ---- `wget` uses the option `--max-redirect=0` to disable redirects. [source,docker,diff-id=2,diff-type=compliant] ---- FROM ubuntu:22.04 RUN wget --secure-protocol=TLSv1_2 --max-redirect=0 -q -O - https://might-redirect.example.com/install.sh | sh ---- == See * CWE - https://cwe.mitre.org/data/definitions/757[CWE-757 - Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')] * https://curl.se/docs/manpage.html#--proto[curl.1 the man page] - `--proto ` * https://www.gnu.org/software/wget/manual/wget.html#HTTP-Options[wget - GNU Wget Manual] - `--max-redirect=` * https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#41-encrypt-everything[SSL and TLS Deployment Best Practices] - Encrypt Everything ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) === Message For `curl`: * Not enforcing HTTPS here might allow for redirections to insecure websites. Make sure it is safe here. For `wget`: * Not disabling redirects might allow for redirections to insecure websites. Make sure it is safe here. === Highlighting For `curl`: * Highlight the `curl` command, the `-L` option, and the URL. For `wget`: * Highlight the `wget` command and the URL. endif::env-github,rspecator-view[]