Harden installers: remove Unblock-File, add HTTPS-only URL validation

DeusData · DeusData · commit a89bf96382b9 · 2026-04-14T20:44:17.000+02:00
install.ps1: - Remove both Unblock-File calls (Defender ClickFix.R!ml signal) - Remove ExecutionPolicy ByPass from usage comment (scanned by Defender) - Add HTTPS-only URL scheme check on CBM_DOWNLOAD_URL install.sh: - Add HTTPS-only URL scheme check on CBM_DOWNLOAD_URL pkg/go wrapper: - Add validateURLScheme() to httpGet and fetchChecksums (defense-in-depth, matching Python wrapper's _validate_url_scheme from PR #248) All installers now allow localhost/127.0.0.1 for testing but reject http://, ftp://, file:// and other schemes.
diff --git a/install.ps1 b/install.ps1
@@ -1,7 +1,6 @@
 # install.ps1 — One-line installer for codebase-memory-mcp (Windows).
 #
-# Usage:
-#   powershell -ExecutionPolicy ByPass -c "irm https://raw.githubusercontent.com/DeusData/codebase-memory-mcp/main/install.ps1 | iex"
+# Usage: see README.md for install instructions.
 #
 # Environment:
 #   CBM_DOWNLOAD_URL  Override base URL for downloads (for testing)
@@ -13,6 +12,12 @@ $InstallDir = "$env:LOCALAPPDATA\Programs\codebase-memory-mcp"
 $BinName = "codebase-memory-mcp.exe"
 $BaseUrl = if ($env:CBM_DOWNLOAD_URL) { $env:CBM_DOWNLOAD_URL } else { "https://github.com/$Repo/releases/latest/download" }
 
+# Security: reject non-HTTPS download URLs (defense-in-depth)
+if (-not $BaseUrl.StartsWith("https://") -and -not $BaseUrl.StartsWith("http://localhost") -and -not $BaseUrl.StartsWith("http://127.0.0.1")) {
+    Write-Host "error: refusing non-HTTPS download URL: $BaseUrl" -ForegroundColor Red
+    exit 1
+}
+
 # Detect variant from args (--ui or --standard)
 $Variant = "standard"
 $SkipConfig = $false
@@ -89,9 +94,6 @@ if (-not (Test-Path $DlBin)) {
     }
 }
 
-# Remove MOTW from extracted binary
-Unblock-File -Path $DlBin -ErrorAction SilentlyContinue
-
 # Install
 New-Item -ItemType Directory -Path $InstallDir -Force | Out-Null
 $Dest = Join-Path $InstallDir $BinName
@@ -108,7 +110,6 @@ if (Test-Path $Dest) {
 }
 
 Copy-Item $DlBin $Dest -Force
-Unblock-File -Path $Dest -ErrorAction SilentlyContinue
 
 # Verify
 try {
diff --git a/install.sh b/install.sh
@@ -17,6 +17,12 @@ VARIANT="standard"
 SKIP_CONFIG=false
 CBM_DOWNLOAD_URL="${CBM_DOWNLOAD_URL:-https://github.com/${REPO}/releases/latest/download}"
 
+# Security: reject non-HTTPS download URLs (defense-in-depth)
+case "$CBM_DOWNLOAD_URL" in
+    https://*|http://localhost*|http://127.0.0.1*) ;;
+    *) echo "error: refusing non-HTTPS download URL: $CBM_DOWNLOAD_URL" >&2; exit 1 ;;
+esac
+
 for arg in "$@"; do
     case "$arg" in
         --ui)           VARIANT="ui" ;;
diff --git a/pkg/go/cmd/codebase-memory-mcp/main.go b/pkg/go/cmd/codebase-memory-mcp/main.go
@@ -173,8 +173,19 @@ func download(dest string) error {
 	return nil
 }
 
-func httpGet(url, dest string) error {
-	resp, err := http.Get(url) //nolint:gosec
+// validateURLScheme rejects non-https URLs before any fetch (defense-in-depth).
+func validateURLScheme(rawURL string) error {
+	if !strings.HasPrefix(rawURL, "https://") {
+		return fmt.Errorf("refusing non-https URL: %s", rawURL)
+	}
+	return nil
+}
+
+func httpGet(rawURL, dest string) error {
+	if err := validateURLScheme(rawURL); err != nil {
+		return err
+	}
+	resp, err := http.Get(rawURL) //nolint:gosec
 	if err != nil {
 		return err
 	}
@@ -192,6 +203,9 @@ func httpGet(url, dest string) error {
 }
 
 func fetchChecksums(url string) (map[string]string, error) {
+	if err := validateURLScheme(url); err != nil {
+		return nil, err
+	}
 	resp, err := http.Get(url) //nolint:gosec
 	if err != nil {
 		return nil, err
