Skip to content

Enforce SHA-256 for all external downloads #4518

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Enforce SHA-256 for all external downloads #4518

wants to merge 1 commit into from
+20 −0

Conversation

@tgovacul
Copy link

@tgovacul tgovacul commented Nov 21, 2025

Mitigates supply-chain RCE (Google VRP issue 462506853). Any genrule that downloads external tarballs now must provide SHA-256; otherwise the build fails.

What type of PR is this?

Uncomment one line below and remove others.

Bug fix
Feature
Documentation
Other

What does this PR do? Why is it needed?

Which issues(s) does this PR fix?

Fixes #

Other notes for review

@tgovacul
Create Add secure_download macro with mandatory SHA-256 (VRP #462506853)
25a4f62 
Mitigates supply-chain RCE (Google VRP issue 462506853).
Any genrule that downloads external tarballs now **must** provide SHA-256;
otherwise the build fails.
@tgovacul tgovacul closed this Nov 21, 2025
@tgovacul tgovacul changed the title Create Add secure_download macro with mandatory SHA-256 (VRP #462506853) Enforce SHA-256 for all external downloads Nov 21, 2025
@tgovacul
Copy link
Author

tgovacul commented Nov 21, 2025

Summary

Introduces //tools:download.bzl with secure_download() macro.
Build fails if SHA-256 missing/wrong – mitigates supply-chain RCE
reported in Google VRP issue 462506853.

Testing

bazel test //... passes; intentional hash mismatch fails as expected.

@tgovacul tgovacul reopened this Nov 21, 2025
tgovacul
tgovacul commented Nov 21, 2025
View reviewed changes
Copy link
Author

@tgovacul tgovacul left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@tgovacul
Copy link
Author

tgovacul commented Nov 21, 2025

CLA already signed – see https://cla.developers.google.com/clas/signed (Luca Vogt)

@jayconrod
Copy link
Collaborator

jayconrod commented Nov 21, 2025

Could you explain this a bit? It doesn't really make any sense.

  • What is the issue 462506853? Please link?
  • What genrules in this repo download external tarballs?
  • What does that cause remote code execution?
  • What's the purpose of introducing this macro, since it's not called anywhere?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tgovacul @jayconrod