diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml new file mode 100644 index 0000000000..af5879d427 --- /dev/null +++ b/.github/codeql/codeql-config.yml @@ -0,0 +1,2 @@ +paths-ignore: + - Library/Homebrew/vendor/ diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml new file mode 100644 index 0000000000..371605a34f --- /dev/null +++ b/.github/workflows/codeql-analysis.yml @@ -0,0 +1,31 @@ +name: "CodeQL" + +on: + push: + branches: + - master + pull_request: + branches: + - master + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ruby + config-file: ./.github/codeql/codeql-config.yml + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 diff --git a/Library/Homebrew/dev-cmd/bump-formula-pr.rb b/Library/Homebrew/dev-cmd/bump-formula-pr.rb index a463a48f53..f0a6d3a555 100644 --- a/Library/Homebrew/dev-cmd/bump-formula-pr.rb +++ b/Library/Homebrew/dev-cmd/bump-formula-pr.rb @@ -383,13 +383,13 @@ module Homebrew def determine_mirror(url) case url - when %r{.*ftp.gnu.org/gnu.*} + when %r{.*ftp\.gnu\.org/gnu.*} url.sub "ftp.gnu.org/gnu", "ftpmirror.gnu.org" - when %r{.*download.savannah.gnu.org/*} + when %r{.*download\.savannah\.gnu\.org/*} url.sub "download.savannah.gnu.org", "download-mirror.savannah.gnu.org" - when %r{.*www.apache.org/dyn/closer.lua\?path=.*} + when %r{.*www\.apache\.org/dyn/closer\.lua\?path=.*} url.sub "www.apache.org/dyn/closer.lua?path=", "archive.apache.org/dist/" - when %r{.*mirrors.ocf.berkeley.edu/debian.*} + when %r{.*mirrors\.ocf\.berkeley\.edu/debian.*} url.sub "mirrors.ocf.berkeley.edu/debian", "mirrorservice.org/sites/ftp.debian.org/debian" end end diff --git a/Library/Homebrew/download_strategy.rb b/Library/Homebrew/download_strategy.rb index bef5ab5300..5498bb662f 100644 --- a/Library/Homebrew/download_strategy.rb +++ b/Library/Homebrew/download_strategy.rb @@ -1404,18 +1404,18 @@ class DownloadStrategyDetector when %r{^https?://www\.apache\.org/dyn/closer\.cgi}, %r{^https?://www\.apache\.org/dyn/closer\.lua} CurlApacheMirrorDownloadStrategy - when %r{^https?://(.+?\.)?googlecode\.com/svn}, + when %r{^https?://([A-Za-z0-9\-.]+\.)?googlecode\.com/svn}, %r{^https?://svn\.}, %r{^svn://}, %r{^svn\+http://}, %r{^http://svn\.apache\.org/repos/}, - %r{^https?://(.+?\.)?sourceforge\.net/svnroot/} + %r{^https?://([A-Za-z0-9\-.]+\.)?sourceforge\.net/svnroot/} SubversionDownloadStrategy when %r{^cvs://} CVSDownloadStrategy when %r{^hg://}, - %r{^https?://(.+?\.)?googlecode\.com/hg}, - %r{^https?://(.+?\.)?sourceforge\.net/hgweb/} + %r{^https?://([A-Za-z0-9\-.]+\.)?googlecode\.com/hg}, + %r{^https?://([A-Za-z0-9\-.]+\.)?sourceforge\.net/hgweb/} MercurialDownloadStrategy when %r{^bzr://} BazaarDownloadStrategy diff --git a/Library/Homebrew/rubocops/homepage.rb b/Library/Homebrew/rubocops/homepage.rb index 99ad64ffd0..69a8d7a5a6 100644 --- a/Library/Homebrew/rubocops/homepage.rb +++ b/Library/Homebrew/rubocops/homepage.rb @@ -70,12 +70,12 @@ module RuboCop when # Check for http:// GitHub homepage URLs, https:// is preferred. # Note: only check homepages that are repo pages, not *.github.com hosts - %r{^http://github.com/}, + %r{^http://github\.com/}, %r{^http://[^/]*\.github\.io/}, # Savannah has full SSL/TLS support but no auto-redirect. # Doesn't apply to the download URLs, only the homepage. - %r{^http://savannah.nongnu.org/}, + %r{^http://savannah\.nongnu\.org/}, %r{^http://[^/]*\.sourceforge\.io/}, # There's an auto-redirect here, but this mistake is incredibly common too. diff --git a/Library/Homebrew/rubocops/urls.rb b/Library/Homebrew/rubocops/urls.rb index 963dc1980f..67860051d4 100644 --- a/Library/Homebrew/rubocops/urls.rb +++ b/Library/Homebrew/rubocops/urls.rb @@ -21,7 +21,7 @@ module RuboCop end # GNU URLs; doesn't apply to mirrors - gnu_pattern = %r{^(?:https?|ftp)://ftpmirror.gnu.org/(.*)} + gnu_pattern = %r{^(?:https?|ftp)://ftpmirror\.gnu\.org/(.*)} audit_urls(urls, gnu_pattern) do |match, url| problem "Please use \"https://ftp.gnu.org/gnu/#{match[1]}\" instead of #{url}." end @@ -177,7 +177,7 @@ module RuboCop end # Check for new-url Google Code download URLs, https:// is preferred - google_code_pattern = Regexp.union([%r{^http://.*\.googlecode\.com/files.*}, + google_code_pattern = Regexp.union([%r{^http://[A-Za-z0-9\-.]*\.googlecode\.com/files.*}, %r{^http://code\.google\.com/}]) audit_urls(urls, google_code_pattern) do |_, url| problem "Please use https:// for #{url}" @@ -267,13 +267,13 @@ module RuboCop urls += mirrors # Check pypi URLs - pypi_pattern = %r{^https?://pypi.python.org/} + pypi_pattern = %r{^https?://pypi\.python\.org/} audit_urls(urls, pypi_pattern) do |_, url| problem "use the `Source` url found on PyPI downloads page (`#{get_pypi_url(url)}`)" end # Require long files.pythonhosted.org URLs - pythonhosted_pattern = %r{^https?://files.pythonhosted.org/packages/source/} + pythonhosted_pattern = %r{^https?://files\.pythonhosted\.org/packages/source/} audit_urls(urls, pythonhosted_pattern) do |_, url| problem "use the `Source` url found on PyPI downloads page (`#{get_pypi_url(url)}`)" end