In today’s digital world, where automation and scripting are essential for developers, security remains a paramount concern. One of the simplest ways to install developer tools is through scripts downloaded directly from the internet. However, this convenience also comes with inherent risks, especially when dealing with external sources.
Web3j is a security-focused project. It has taken steps to reduce risks from running installer scripts. This includes protecting against remote code execution (RCE) threats.
The Problem: A Risk in Convenience
Web3j provides installation scripts to make setup easier for developers. Typically, users can run the following commands to install Web3j:
On macOS/Linux:
curl -L get.web3j.io | sh
On Windows:
Set-ExecutionPolicy Bypass -Scope Process -Force; iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/hyperledger/web3j-installer/main/installer.ps1'))While these commands make installation quick and effortless, they introduce a serious security vulnerability: if a malicious actor gains access to modify the script at the source, they can inject malicious code. Users who unknowingly run these compromised scripts may expose their machines to Remote Code Execution (RCE). This could allow attackers to take control.
The Solution: Built-in Checksum Verification
To address this vulnerability, we have introduced SHA256 checksum verification into the Web3j installation script itself. This means that users no longer need to manually verify the checksum—the script now checks its own integrity before executing. This built-in verification ensures that the script automatically checks whether it has been modified. This prevents the execution of any potentially malicious code.
While the script performs its own verification, we also provide checksum values publicly so that users can independently verify them if they prefer to do so. This double layer of security is crucial for environments where strict verification processes are required.
The checksum values for the installation scripts are stored in the following files:
To verify the checksum manually, you can run the following commands for your respective operating system:
For macOS:
sed '/^CHECKSUM_URL=/d' installer.sh | shasum -a 256 | awk '{print $1}'
For Linux:
sed '/^CHECKSUM_URL=/d' installer.sh | sha256sum | awk '{print $1}'
For Windows:
Get-Content "installer.ps1" | ForEach-Object { $_ -replace "`r", "" } | Where-Object { $_ -notmatch '^[\s]*\$ChecksumUrl' } | Out-StringAfter running the command, compare the output hash with the respective checksum file from the Web3j GitHub repository. If they match, the script is safe to run. If not, avoid running the script and report the issue immediately.
Why Fixing This Issue is Important
Addressing the risk of RCE is critical because it directly impacts the security of the machines that run Web3j scripts. In a compromised scenario, an attacker can execute arbitrary commands on a victim’s machine. This could lead to data breaches, malware installation, or total system compromise.
By implementing checksum verification inside the script and offering a manual verification option, we greatly reduce the risk of executing malicious scripts. This ensures the Web3j community remains safe and secure.
Continuous Updates to Ensure Safety
Web3j remains committed to the security of its users. The checksum values for the installer scripts will be updated if there are any changes to the script in the future. Users are encouraged to always verify the checksum before running the script, especially after downloading a fresh copy.
Conclusion
In conclusion, while installer scripts provide a convenient way to get started with Web3j, they also come with potential risks. With the introduction of checksum verification inside the script and the ability for users to manually verify checksums, we have strengthened the security of the entire Web3j ecosystem. Users can now confidently execute the installation script knowing that it is authentic and free from tampering, protecting their systems from potential attacks.
Stay secure, and always verify!
