[SECURITY] Code generator generates projects with insecure repositories

[JLLeitschuh]

CWE-829: Inclusion of Functionality from Untrusted Control Sphere
CWE-494: Download of Code Without Integrity Check

This project is generating starter projects that are resolving dependencies over HTTP instead of HTTPS.

Additionally, the sample associated with this project are vulnerable to this as well. Any of these artifacts could have been MITM to maliciously compromise them and infect the build artifacts that were produced. Additionally, if any of these JARs or other dependencies were compromised, any developers using these could continue to be infected past updating to fix this.

This vulnerability has a CVSS v3.0 Base Score of 8.1/10
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

This isn't just theoretical

POC code has existed since 2014 to maliciously compromise a JAR file inflight.
See:

• https://max.computer/blog/how-to-take-over-the-computer-of-any-java-or-clojure-or-scala-developer/
• https://github.com/mveytsman/dilettante

MITM Attacks Increasingly Common

See:

• https://serverfault.com/a/153065
• https://security.stackexchange.com/a/12050
• Comcast continues to inject its own code into websites you visit (over HTTP)

Source Locations

swagger-codegen/modules/swagger-codegen/src/main/resources/Groovy/build.gradle.mustache

Lines 11 to 13 in 4607a90

	repositories {
	maven { url 'http:https://repo.jfrog.org/artifactory/gradle-plugins' }
	}

swagger-codegen/modules/swagger-codegen/src/main/resources/Groovy/build.gradle.mustache

Lines 22 to 23 in 4607a90

	mavenCentral(artifactUrls: ['http:https://maven.springframework.org/milestone'])
	maven { url "http:https://$artifactory:8080/artifactory/repo" }

swagger-codegen/samples/client/petstore/groovy/build.gradle

Lines 11 to 13 in 4607a90

	repositories {
	maven { url 'http:https://repo.jfrog.org/artifactory/gradle-plugins' }
	}

swagger-codegen/samples/client/petstore/groovy/build.gradle

Lines 22 to 23 in 4607a90

	mavenCentral(artifactUrls: ['http:https://maven.springframework.org/milestone'])
	maven { url "http:https://$artifactory:8080/artifactory/repo" }

swagger-codegen/samples/server/petstore/kotlin-server/ktor/build.gradle

Line 60 in 4607a90

maven { url "http:https://dl.bintray.com/kotlin/ktor" }

swagger-codegen/modules/swagger-codegen/src/main/resources/kotlin-server/libraries/ktor/build.gradle.mustache

Line 60 in 4607a90

maven { url "http:https://dl.bintray.com/kotlin/ktor" }

swagger-codegen/modules/swagger-codegen/src/main/resources/finch/build.sbt

Line 13 in 4607a90

resolvers += "TM" at "http:https://maven.twttr.com"

swagger-codegen/modules/swagger-codegen/src/main/resources/finch/build.sbt

Lines 17 to 19 in 4607a90

	resolvers += "Sonatype OSS Snapshots" at "http:https://oss.sonatype.org/content/repositories/snapshots/"
	resolvers += "Sonatype OSS Releases" at "http:https://oss.sonatype.org/content/repositories/releases/"

Public Disclosure

This issue requires public disclosure as it impacts users that have used this project to generate their starter projects.

A project maintainer needs to file for a CVE number to inform the public about this vulnerability.

If a maintainer on this project works for or is associated with a CNA, please have them file it with them:
cve.mitre.org/cve/request_id.html

Otherwise, an open source CVE should be filed for here:
iwantacve.org

[JLLeitschuh]

Ping!

[frantuma]

fixed in #9389

[JLLeitschuh]

Has a CVE been issued?

[JLLeitschuh]

Also, what version was this released as 'fixed' in?

[frantuma]

we are working on the CVE process, and will notify about updates