When downloading files over HTTPS, following redirects without enforcing the protocol can expose the transfer to a downgrade attack.

Why is this an issue?

HTTP is a clear-text protocol that provides no encryption, making communications vulnerable to interception and modification. When an HTTP client is configured to follow redirects, an initial HTTPS connection can be silently downgraded to HTTP if the server redirects to an insecure location. This rule detects curl commands that follow redirects using -L or --location without the --proto "=https" option, and wget commands that allow redirects without --max-redirect=0.

What is the potential impact?

Exposure of sensitive data

An attacker with access to network traffic can read the contents of the downloaded file, including any sensitive data it contains.

Supply chain compromise

Because a downgraded HTTP connection is unencrypted, an attacker in a position to intercept traffic can modify the downloaded file in transit. If the file is an install script or software package, injected malicious code will execute on the target system.

How to fix it in cURL

Code examples

The following command uses -L to follow redirects without restricting the protocol to HTTPS, allowing the connection to be silently downgraded.

Noncompliant code example

name: Install Script

on: push

jobs:
  install:
    runs-on: ubuntu-latest
    steps:
      - name: Download and run install script
        run: curl --tlsv1.2 -sSf -L https://might-redirect.example.com/install.sh -o install.sh  # Noncompliant

Compliant solution

Use --proto "=https" to ensure requests are only made using HTTPS. Any attempt to redirect to a location using HTTP will result in an error.

name: Install Script

on: push

jobs:
  install:
    runs-on: ubuntu-latest
    steps:
      - name: Download and run install script
        run: curl --proto "=https" --tlsv1.2 -sSf -L https://might-redirect.example.com/install.sh -o install.sh

If you expect the server to return the file without redirects, remove the -L or --location option instead.

name: Install Script

on: push

jobs:
  install:
    runs-on: ubuntu-latest
    steps:
      - name: Download and run install script
        run: curl --tlsv1.2 -sSf https://might-redirect.example.com/install.sh -o install.sh

How to fix it in Wget

Code examples

wget follows HTTP redirects by default without restricting the protocol, allowing the connection to be silently downgraded to HTTP. wget does not support restricting redirects to HTTPS, so curl should be used instead when redirects are expected.

Noncompliant code example

name: Install Script

on: push

jobs:
  install:
    runs-on: ubuntu-latest
    steps:
      - name: Download and run install script
        run: wget --secure-protocol=TLSv1_2 -q -O install.sh https://might-redirect.example.com/install.sh  # Noncompliant

Compliant solution

Use --max-redirect=0 to disable redirect following entirely.

name: Install Script

on: push

jobs:
  install:
    runs-on: ubuntu-latest
    steps:
      - name: Download and run install script
        run: wget --secure-protocol=TLSv1_2 --max-redirect=0 -q -O install.sh https://might-redirect.example.com/install.sh

Resources

Documentation

• curl.1 the man page - --proto <protocols>
• wget - GNU Wget Manual - --max-redirect=

Articles & blog posts

• SSL and TLS Deployment Best Practices - Encrypt Everything

Standards

• CWE - CWE-757 - Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')