Safety Download files

CeterisPartybus · January 1, 2024, 5:32pm

This might be a stupid question as I am not a network/security guy.
I am thinking about implementing a feature in a package I develop that downloads a file from an external server. Should safety be a concern here?

Specifically, I want to download a CSV file from a data repo using Downloads.download() and read it in afterwards. However, I worry that I accidentally implement a security risk. E.g. someone hacks the repo and exchanges the CSV file with a virus. Or someone resolves the URL to a different IP and makes the package download a virus from another server. Do I have to worry about these or similar scenarios and if yes: Could I mitigate the risk somehow?

Thanks!

fredrikekre · January 1, 2024, 10:11pm

Compare the hash (e.g. sha256sum) of the downloaded file with the corresponding hash you know is good. The good hash can be hardcoded in your package. If the hash mismatch you simply error. This is a very common method and is used for example by the package manager.

CeterisPartybus · January 1, 2024, 10:22pm

Awesome, thanks for the tip. Can you recommend any resource to read into it a bit more?

Jeff_Emanuel · January 2, 2024, 4:19pm