[SECURITY] Lua Artifacts are downloaded insecurely

[JLLeitschuh]

CWE-829: Inclusion of Functionality from Untrusted Control Sphere
CWE-494: Download of Code Without Integrity Check

This project contain files that indicate that this project is resolving dependencies over HTTP instead of HTTPS. Any of these artifacts can be MITMed to maliciously compromise them and infect the build artifacts that were produced.

This vulnerability has a CVSS v3.0 Base Score of 8.1/10
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

This isn't just theoretical

POC code has existed since 2014 to maliciously compromise software downloaded inflight.
See:

• Want to take over the Java ecosystem? All you need is a MITM!
• https://max.computer/blog/how-to-take-over-the-computer-of-any-java-or-clojure-or-scala-developer/
• https://github.com/mveytsman/dilettante

MITM Attacks Increasingly Common

See:

• https://serverfault.com/a/153065
• https://security.stackexchange.com/a/12050
• Comcast continues to inject its own code into websites you visit (over HTTP)

Source Locations

• gh-actions-lua/install-lua/main.js

  Line 42 in 596c2b8

  const luaSourceTar = await tc.downloadTool(`http://luajit.org/download/LuaJIT-${luajitVersion}.tar.gz`)

• gh-actions-lua/install-lua/main.js

  Line 77 in 596c2b8

  const luaSourceTar = await tc.downloadTool(`http://www.lua.org/ftp/lua-${luaVersion}.tar.gz`)

[leafo]

Thanks for catching this. We still need to add checksum validation

[JLLeitschuh]

I'm chatting with the GH Security team about wiring that in directly to the exposed API.

[JLLeitschuh]

This issue is now being tracked here: actions/toolkit#162