Copilot commented on code in PR #13432:
URL: https://github.com/apache/apisix/pull/13432#discussion_r3297103669
##########
ci/linux-install-openresty.sh:
##########
@@ -22,38 +22,64 @@ source ./ci/common.sh
export_version_info
ARCH=${ARCH:-`(uname -m | tr '[:upper:]' '[:lower:]')`}
-arch_path=""
-if [[ $ARCH == "arm64" ]] || [[ $ARCH == "aarch64" ]]; then
- arch_path="arm64/"
-fi
-
-wget -qO - https://openresty.org/package/pubkey.gpg | sudo apt-key add -
-wget -qO - http://repos.apiseven.com/pubkey.gpg | sudo apt-key add -
-sudo apt-get -y update --fix-missing
-sudo apt-get -y install software-properties-common
-sudo add-apt-repository -y "deb
https://openresty.org/package/${arch_path}ubuntu $(lsb_release -sc) main"
-sudo add-apt-repository -y "deb
http://repos.apiseven.com/packages/${arch_path}debian bullseye main"
-
-sudo apt-get update
-sudo apt-get install -y openresty-pcre-dev openresty-zlib-dev build-essential
gcc g++ cpanminus
SSL_LIB_VERSION=${SSL_LIB_VERSION-openssl}
ENABLE_FIPS=${ENABLE_FIPS:-"false"}
-if [ "$SSL_LIB_VERSION" == "tongsuo" ]; then
- export openssl_prefix=/usr/local/tongsuo
- export zlib_prefix=$OPENRESTY_PREFIX/zlib
- export pcre_prefix=$OPENRESTY_PREFIX/pcre
+if [ "$SSL_LIB_VERSION" == "tongsuo" ] || [ "$ENABLE_FIPS" == "true" ]; then
+ arch_path=""
+ if [[ $ARCH == "arm64" ]] || [[ $ARCH == "aarch64" ]]; then
+ arch_path="arm64/"
+ fi
- export cc_opt="-DNGX_LUA_ABORT_AT_PANIC -I${zlib_prefix}/include
-I${pcre_prefix}/include -I${openssl_prefix}/include"
- export ld_opt="-L${zlib_prefix}/lib -L${pcre_prefix}/lib
-L${openssl_prefix}/lib64
-Wl,-rpath,${zlib_prefix}/lib:${pcre_prefix}/lib:${openssl_prefix}/lib64"
-fi
+ wget -qO - https://openresty.org/package/pubkey.gpg | sudo apt-key add -
+ wget -qO - http://repos.apiseven.com/pubkey.gpg | sudo apt-key add -
+ sudo apt-get -y update --fix-missing
+ sudo apt-get -y install software-properties-common
+ sudo add-apt-repository -y "deb
https://openresty.org/package/${arch_path}ubuntu $(lsb_release -sc) main"
+ sudo add-apt-repository -y "deb
http://repos.apiseven.com/packages/${arch_path}debian bullseye main"
Review Comment:
The Tongsuo/FIPS branch fetches the APT repo key and repo metadata over
plain HTTP and installs the key via `apt-key`. HTTP allows MITM key/repo
injection, and `apt-key` is deprecated on modern Ubuntu/Debian.
Consider switching to HTTPS URLs (if available) and installing keys into
`/usr/share/keyrings/*.gpg` (e.g., `gpg --dearmor`) with a `signed-by=` entry
in the `deb` line instead of `apt-key`.
##########
ci/linux-install-openresty.sh:
##########
@@ -22,38 +22,64 @@ source ./ci/common.sh
export_version_info
ARCH=${ARCH:-`(uname -m | tr '[:upper:]' '[:lower:]')`}
-arch_path=""
-if [[ $ARCH == "arm64" ]] || [[ $ARCH == "aarch64" ]]; then
- arch_path="arm64/"
-fi
-
-wget -qO - https://openresty.org/package/pubkey.gpg | sudo apt-key add -
-wget -qO - http://repos.apiseven.com/pubkey.gpg | sudo apt-key add -
-sudo apt-get -y update --fix-missing
-sudo apt-get -y install software-properties-common
-sudo add-apt-repository -y "deb
https://openresty.org/package/${arch_path}ubuntu $(lsb_release -sc) main"
-sudo add-apt-repository -y "deb
http://repos.apiseven.com/packages/${arch_path}debian bullseye main"
-
-sudo apt-get update
-sudo apt-get install -y openresty-pcre-dev openresty-zlib-dev build-essential
gcc g++ cpanminus
SSL_LIB_VERSION=${SSL_LIB_VERSION-openssl}
ENABLE_FIPS=${ENABLE_FIPS:-"false"}
-if [ "$SSL_LIB_VERSION" == "tongsuo" ]; then
- export openssl_prefix=/usr/local/tongsuo
- export zlib_prefix=$OPENRESTY_PREFIX/zlib
- export pcre_prefix=$OPENRESTY_PREFIX/pcre
+if [ "$SSL_LIB_VERSION" == "tongsuo" ] || [ "$ENABLE_FIPS" == "true" ]; then
+ arch_path=""
+ if [[ $ARCH == "arm64" ]] || [[ $ARCH == "aarch64" ]]; then
+ arch_path="arm64/"
+ fi
- export cc_opt="-DNGX_LUA_ABORT_AT_PANIC -I${zlib_prefix}/include
-I${pcre_prefix}/include -I${openssl_prefix}/include"
- export ld_opt="-L${zlib_prefix}/lib -L${pcre_prefix}/lib
-L${openssl_prefix}/lib64
-Wl,-rpath,${zlib_prefix}/lib:${pcre_prefix}/lib:${openssl_prefix}/lib64"
-fi
+ wget -qO - https://openresty.org/package/pubkey.gpg | sudo apt-key add -
+ wget -qO - http://repos.apiseven.com/pubkey.gpg | sudo apt-key add -
+ sudo apt-get -y update --fix-missing
+ sudo apt-get -y install software-properties-common
+ sudo add-apt-repository -y "deb
https://openresty.org/package/${arch_path}ubuntu $(lsb_release -sc) main"
+ sudo add-apt-repository -y "deb
http://repos.apiseven.com/packages/${arch_path}debian bullseye main"
+
+ sudo apt-get update
+ sudo apt-get install -y openresty-pcre-dev openresty-zlib-dev
build-essential gcc g++ cpanminus
+
+ if [ "$SSL_LIB_VERSION" == "tongsuo" ]; then
+ export openssl_prefix=/usr/local/tongsuo
+ export zlib_prefix=$OPENRESTY_PREFIX/zlib
+ export pcre_prefix=$OPENRESTY_PREFIX/pcre
+
+ export cc_opt="-DNGX_LUA_ABORT_AT_PANIC -I${zlib_prefix}/include
-I${pcre_prefix}/include -I${openssl_prefix}/include"
+ export ld_opt="-L${zlib_prefix}/lib -L${pcre_prefix}/lib
-L${openssl_prefix}/lib64
-Wl,-rpath,${zlib_prefix}/lib:${pcre_prefix}/lib:${openssl_prefix}/lib64"
+ fi
+
+ install_apisix_runtime
+
+ if [ ! "$ENABLE_FIPS" == "true" ]; then
+ curl -o /usr/local/openresty/openssl3/ssl/openssl.cnf \
+
https://raw.githubusercontent.com/api7/apisix-build-tools/apisix-runtime/${APISIX_RUNTIME}/conf/openssl3/openssl.cnf
+ fi
+else
+ sudo apt-get -y update --fix-missing
+ sudo apt-get install -y build-essential gcc g++ cpanminus
+
+ case "$ARCH" in
+ x86_64|amd64)
+ DEB_ARCH="amd64"
+ ;;
+ arm64|aarch64)
+ DEB_ARCH="arm64"
+ ;;
+ *)
+ echo "Unsupported architecture: $ARCH" >&2
+ exit 1
+ ;;
+ esac
-install_apisix_runtime
+
DEB_NAME="apisix-runtime-debug_${APISIX_RUNTIME}-0.debianbookworm-slim_${DEB_ARCH}.deb"
+
RELEASE_URL="https://github.com/api7/apisix-build-tools/releases/download/apisix-runtime%2F${APISIX_RUNTIME}/${DEB_NAME}";
-if [ ! "$ENABLE_FIPS" == "true" ]; then
-curl -o /usr/local/openresty/openssl3/ssl/openssl.cnf \
-
https://raw.githubusercontent.com/api7/apisix-build-tools/apisix-runtime/${APISIX_RUNTIME}/conf/openssl3/openssl.cnf
+ wget --no-verbose --tries=3 --retry-connrefused "$RELEASE_URL" -O
"/tmp/$DEB_NAME"
+ sudo apt-get install -y "/tmp/$DEB_NAME"
+ rm -f "/tmp/$DEB_NAME"
Review Comment:
The default OpenSSL path downloads a `.deb` from a GitHub release and
installs it as root without any integrity verification. If the download is
tampered with (or a compromised release asset is served), this becomes a CI
supply-chain risk.
Consider verifying a published SHA256/SHA512 checksum (stored in-repo or
fetched from the same release and validated) before `apt-get install`, or
consuming the runtime via a signed APT repository instead of a direct artifact
URL.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
