Information disclosure from HTTP URL in Ansible get_url task

High Risk infrastructure-security
ansibleget-urlhttpfile-downloadinformation-disclosureman-in-the-middlesupply-chain-attack

What it is

Ansible get_url tasks configured with HTTP URLs download files without TLS encryption, enabling attackers to intercept, modify, and inject malicious content through man-in-the-middle attacks. This vulnerability allows attackers to replace legitimate files with malware, capture sensitive downloads, steal credentials transmitted during file transfers, and compromise systems that consume the downloaded content.

# VULNERABLE: Ansible get_url with insecure HTTP downloads
- name: Download files insecurely
  hosts: all
  tasks:
    # VULNERABLE: HTTP download without encryption
    - name: Download application binary
      ansible.builtin.get_url:
        url: "http://downloads.example.com/app/app-v1.0.0.tar.gz"  # VULNERABLE: HTTP
        dest: "/opt/app/app-v1.0.0.tar.gz"
        
    # VULNERABLE: Configuration file over HTTP
    - name: Download configuration template
      ansible.builtin.get_url:
        url: "http://config.example.com/templates/app.conf"  # VULNERABLE: HTTP
        dest: "/etc/app/app.conf"
        mode: '0644'
        
    # VULNERABLE: Script download over HTTP
    - name: Download installation script
      ansible.builtin.get_url:
        url: "http://scripts.example.com/install.sh"  # VULNERABLE: HTTP
        dest: "/tmp/install.sh"
        mode: '0755'
        
    # VULNERABLE: HTTPS with disabled validation
    - name: Download with disabled cert validation
      ansible.builtin.get_url:
        url: "https://internal.example.com/packages/tool.deb"
        dest: "/tmp/tool.deb"
        validate_certs: no  # VULNERABLE: Disables certificate validation
        
    # VULNERABLE: Sensitive file over HTTP
    - name: Download database dump
      ansible.builtin.get_url:
        url: "http://backups.example.com/db/{{ database_name }}.sql"  # VULNERABLE: HTTP
        dest: "/backup/{{ database_name }}.sql"
        
    # VULNERABLE: No integrity verification
    - name: Download critical system update
      ansible.builtin.get_url:
        url: "http://updates.example.com/security-patch.rpm"  # VULNERABLE: HTTP + no checksum
        dest: "/tmp/security-patch.rpm"
# SECURE: Ansible get_url with HTTPS and certificate validation
- name: Download files securely
  hosts: all
  tasks:
    # SECURE: HTTPS download with certificate validation
    - name: Download application binary securely
      ansible.builtin.get_url:
        url: "https://downloads.example.com/app/app-v1.0.0.tar.gz"  # SECURE: HTTPS
        dest: "/opt/app/app-v1.0.0.tar.gz"
        validate_certs: yes  # SECURE: Validate certificates
        
    # SECURE: Configuration file over HTTPS
    - name: Download configuration template securely
      ansible.builtin.get_url:
        url: "https://config.example.com/templates/app.conf"  # SECURE: HTTPS
        dest: "/etc/app/app.conf"
        validate_certs: yes
        mode: '0644'
        
    # SECURE: Script download over HTTPS
    - name: Download installation script securely
      ansible.builtin.get_url:
        url: "https://scripts.example.com/install.sh"  # SECURE: HTTPS
        dest: "/tmp/install.sh"
        validate_certs: yes
        mode: '0755'
        
    # SECURE: HTTPS with certificate validation enabled
    - name: Download with certificate validation
      ansible.builtin.get_url:
        url: "https://internal.example.com/packages/tool.deb"
        dest: "/tmp/tool.deb"
        validate_certs: yes  # SECURE: Certificate validation enabled
        
    # SECURE: Sensitive file over HTTPS
    - name: Download database dump securely
      ansible.builtin.get_url:
        url: "https://backups.example.com/db/{{ database_name }}.sql"  # SECURE: HTTPS
        dest: "/backup/{{ database_name }}.sql"
        validate_certs: yes
        
    # SECURE: Critical system update with checksum
    - name: Download critical system update securely
      ansible.builtin.get_url:
        url: "https://updates.example.com/security-patch.rpm"  # SECURE: HTTPS
        dest: "/tmp/security-patch.rpm"
        validate_certs: yes
        checksum: "sha256:{{ security_patch_checksum }}"  # SECURE: Integrity check

💡 Why This Fix Works

Why it happens

Ansible get_url tasks are configured to download files from HTTP sources instead of HTTPS, transmitting file content without encryption and exposing downloads to interception and modification.

Root causes

Unencrypted File Download Sources

Ansible get_url tasks are configured to download files from HTTP sources instead of HTTPS, transmitting file content without encryption and exposing downloads to interception and modification.

Legacy Download Infrastructure

Organizations continue using HTTP-based file repositories and download mirrors that lack HTTPS support, prioritizing availability over secure file transfer mechanisms.

Fixes

1

Use HTTPS URLs for File Downloads

Replace HTTP URLs with HTTPS in Ansible get_url tasks and set validate_certs: true to ensure encrypted file transfers and server authentication for all download operations.

2

Implement File Integrity Verification

Use checksums, digital signatures, or hash verification with get_url tasks to validate file integrity and detect tampering, even when downloading over secure channels.

3

Configure Secure Download Mirrors

Use HTTPS-enabled download mirrors and repositories with valid SSL certificates, or implement secure channels like VPN or private networks for file distribution.

Detect This Vulnerability in Your Code

Sourcery automatically identifies information disclosure from http url in ansible get_url task and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities