[SECURITY VULNERABILITY] FetchContent_Declare needs to require a cryptographic hash fingerprint argument to be secure
The cmake function FetchContent_Declare
(https://cmake.org/cmake/help/latest/module/FetchContent.html) allows projects to download arbitrary tags from Git servers.
Git protocol itself doesn't guarantee that downloaded file corresponds to the requested tag. A malicious git server can easily return a malicious file instead.
This command, as defined, subjects users to this general security vulnerability.
Suggested remedy:
Add the required argument HASH
that project developer will have to supply in order to use this command.
I successfully used this command to reproducibly fetch a specific tag from the git server in the context of a FreeBSD port:
git clone -q ${GIT_URL} ${PORTNAME}-${DISTVERSIONFULL} && \
(cd ${PORTNAME}-${DISTVERSIONFULL} && git reset -q --hard ${DISTVERSIONFULL} && ${RM} -r .git) && \
${FIND} ${PORTNAME}-${DISTVERSIONFULL} -and -exec ${TOUCH} -h -d 1970-01-01T00:00:00Z {} \; && \
${FIND} ${PORTNAME}-${DISTVERSIONFULL} -print0 | LC_ALL=C ${SORT} -z | \
${TAR} czf ${PORTNAME}-${DISTVERSIONFULL}${EXTRACT_SUFX} --format=bsdtar --gid 0 --uid 0 --options gzip:!timestamp --no-recursion --null -T - && \
${RM} -r ${PORTNAME}-${DISTVERSIONFULL}; \
cmake should use a similar sequence of commands under the hood to make fetch reproducible.