drivers should be downloaded over https

[rmg]

As per this report, the installer should be downloading files over https, not bare http.

It looks like a one-line change, so it is probably easier for one of the committers to fix rather than mucking with contribution policies.

/cc @qpresley

[bimalkjha]

The binary for ODBC library is hosted on http://public.dhe.ibm.com. so http package is used here to download the tar.gz file only and no source code. I think it should be fine as of now. thanks.

[rmg]

The fact that it is a binary actually makes it worse, since it can't easily be inspected and verified.

The problem isn't that public.dhe.ibm.com can't be trusted, the problem is that without SSL and certificate verification you can't verify that you are actually connecting to public.dhe.ibm.com.

Note that the https module built in to node core uses the same API as the http module. The changes required are minimal.

[vuldin]

The binaries are also available via HTTPS. Most modern, properly configured web servers serve their content both securely (HTTPS) and insecurely (HTTP):

https://public.dhe.ibm.com/ibmdl/export/pub/software/data/db2/drivers/odbc_cli//linuxx64_odbc_cli.tar.gz

Also, most modern, properly configured web applications take into account security, as mentioned by the original poster.

It makes no difference whether the link points to source code or binary, in fact it is worse if the content being downloaded is a binary.

[bimalkjha]

@vuldin Thanks. We'll push the fix for it soon.

[bimalkjha]

Advisory https://nodesecurity.io/advisories/163 is now updated with remediation. Thanks.

[vuldin]

Awesome thanks for your work.

[mafischer]

This solution has broken the ability to use IBM_DB_INSTALLER_URL with http.

[bimalkjha]

@mafischer The latest commit to master has fix for IBM_DB_INSTALLER_URL. Please verify. Thanks.