Potential Mitigation for Abandoned S3 Buckets in Casks

[thatrobotdev]

Hi,

I wanted to bring up a potential concern regarding casks that specify sha256 :no_check while using a verified s3.amazonaws.com URL. A recent report by watchTowr suggests that abandoned S3 buckets can sometimes be re-registered by bad actors, which could pose a security risk.

As an example, the article mentioned how the GitUp cask was configured to download a .zip archive from a (presumably) abandoned S3 bucket without the sha256 check until it was updated in Homebrew/homebrew-cask@fd9a0b6.

Since Homebrew 4.0.0, this risk is significantly reduced because Homebrew fetches the most recently updated cask via the API, preventing installation of outdated versions with abandoned S3 buckets. However, this does rely on cask maintainers actively verifying that S3 links remain valid and secure over time.

I understand this may be outside of Homebrew’s threat model, but I wanted to ask if automated checks for deregistered S3 buckets and requiring a sha256 field for verified S3 links would be reasonable mitigations against potential supply chain attacks in the future.

I’d be happy to contribute, whether by updating affected casks or working on a lint check to flag casks that could be vulnerable to this issue. Would either of these be useful contributions, or would they fall outside Homebrew’s scope?