bug: add SHA256 verification for backend downloads #8475
+3
−2
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Backend binaries were downloaded without SHA256 integrity verification, allowing potential supply chain attacks via MITM or gallery compromise. Added SHA256 field to GalleryBackend and passed it to the downloader.
✅ Deploy Preview for localai ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
kolega-ai-dev
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Vulnerability identified and fix provided by Kolega.dev
Description
This PR adds SHA256 integrity verification for backend binary downloads, closing a supply chain vulnerability where executable code was downloaded without cryptographic verification.
Notes for Reviewers
Vulnerability: Unvalidated File Downloads from Untrusted Sources
Location
core/gallery/backends.go:168-178Description
Backend files are downloaded from URLs without validating file content before execution. At line 168, backend binaries are downloaded using
uri.DownloadFileWithContext(ctx, backendPath, "", 1, 1, downloadStatus)with an empty SHA256 parameter. The downloader (uri.golines 479-488) explicitly skips SHA verification when sha is empty. Backends are executable code (run.shscripts and associated binaries) that LocalAI executes, making this a supply chain vulnerability.Analysis Notes
An attacker who can perform MITM attacks on the gallery URL, compromise the gallery server, or serve malicious content could inject arbitrary code that would be executed by LocalAI. The
GalleryBackendstruct did not have a SHA256 field for integrity verification, unlike theFilestruct used for model downloads which already supported SHA256 verification.Fix Applied
Added a
SHA256field to theGalleryBackendstruct (following the existing pattern from theFilestruct) and passedconfig.SHA256toDownloadFileWithContextcalls for both primary URI and mirror downloads. When gallery maintainers populate the SHA256 field, downloaded backends will be cryptographically verified. The fix is backward-compatible: existing gallery definitions without SHA256 values continue to work (the downloader logs a debug message and skips verification, matching current behavior).Tests/Linters Ran
go build ./core/gallery/...— passedgo vet ./core/gallery/...— passedgolangci-lint run ./core/gallery/...— passed (no issues)go test ./core/gallery/... -v -count=1— 4 pre-existing test failures on master (pointer equality comparisons in meta backend tests, unrelated to this change), all other 75 tests passed. Verified by running same tests on master branch.Contribution Notes
Signed commits