https://github.com/hyperledger/quilt/blob/master/.circleci/config.yml downloads zip file via HTTP to unsafe location and then unpacks it unsafely

[kurtseifried]

A man in the middle attacker can potentially replace the zip file downloaded in https://github.com/hyperledger/quilt/blob/master/.circleci/config.yml as it traverses the network since a HTTP link is used:

curl -L --cookie 'oraclelicense=accept-securebackup-cookie;' http://download.oracle.com/otn-pub/java/jce/8/jce_policy-8.zip -o /tmp/jce_policy.zip
unzip -o /tmp/jce_policy.zip -d /tmp
sudo mv -f /tmp/UnlimitedJCEPolicyJDK8/US_export_policy.jar $JAVA_HOME/jre/lib/security/US_export_policy.jar
sudo mv -f /tmp/UnlimitedJCEPolicyJDK8/local_policy.jar $JAVA_HOME/jre/lib/security/local_policy.jar

additionally a local attacker can predict where the file will be written and potentially modify it /tmp/jce_policy.zip.

Suggestions:

1. use https://
2. use mktemp to write to a secure file in /tmp
3. use mktemp -d to make a secure directory to unpack the files into prior to copying