fix(appstore): refuse downgrade install (lower app_version) (PILOT-105)#3
Merged
Merged
Conversation
The install flow had no monotonic version check — re-installing an older app_version on top of a newer one succeeded silently. This is a classic rollback-attack vector: a CVE patched in v1.2 can be re-introduced by reinstalling v1.1. This adds: - compareVersions() — basic semver comparison (MAJOR.MINOR.PATCH[-PRE]) - registerInstalled() now refuses to replace an in-memory entry with a lower app_version for the same app ID (startup path). - rescanForNew() now detects on-disk manifest version changes for already-known apps and refuses downgrades; upgrades are accepted and trigger a clean restart of the supervise goroutine. - Audit events (downgrade-refused) in the supervisor log for forensics. The check is best-effort defense-in-depth — full protection requires signed manifests (PILOT-98, the #5 dependency) to prevent an attacker from forging the app_version field alongside the binary. Closes PILOT-105
Codecov Report❌ Patch coverage is
📢 Thoughts on this report? Let us know! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds downgrade protection to the app-store supervisor: refuses to install an app whose manifest
app_versionis lower than a currently-registered entry for the same app ID.Why
The install flow had no monotonic version check — re-installing an older
app_versionon top of a newer one succeeded silently. This is a classic rollback-attack vector: a CVE patched in v1.2 can be re-introduced by reinstalling v1.1.Changes
compareVersions()— basic semver comparison (MAJOR.MINOR.PATCH with optional -PRERELEASE)registerInstalled()— refuses to replace in-memory entry with lowerapp_version(startup path)rescanForNew()— detects on-disk manifest version changes for already-known apps; refuses downgrades; upgrades are accepted and trigger a clean restart of the supervise goroutinedowngrade-refusedevents written to supervisor.log for forensicsScope: 1 production file (+~80 LoC), 1 test file (+~220 LoC), no denied paths.
Verification
Note
This is best-effort defense-in-depth. Full protection requires signed manifests (PILOT-98, the #5 dependency) to prevent an attacker from forging the
app_versionfield alongside the binary. Until then, this prevents accidental operator downgrades and raises the bar for on-disk tampering (audit log + log warning trail).Closes PILOT-105