From 266daffbd1bf5d323fe2f92dc53d8deadb6592c0 Mon Sep 17 00:00:00 2001 From: Issy Long Date: Fri, 15 Apr 2022 15:24:31 +0100 Subject: [PATCH 1/8] workflows: Add Code Scanning - https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning - I just joined the Code Scanning team at work and I figured I'd test out the actual product in the real world by seeing what things it points out for Homebrew, a reasonably large Ruby project. - This adds a config file to exclude `Library/Homebrew/vendor` as we can't fix problems within gems. :-) --- .github/codeql/codeql-config.yml | 2 ++ .github/workflows/codeql-analysis.yml | 36 +++++++++++++++++++++++++++ 2 files changed, 38 insertions(+) create mode 100644 .github/codeql/codeql-config.yml create mode 100644 .github/workflows/codeql-analysis.yml diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml new file mode 100644 index 0000000000..af5879d427 --- /dev/null +++ b/.github/codeql/codeql-config.yml @@ -0,0 +1,2 @@ +paths-ignore: + - Library/Homebrew/vendor/ diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml new file mode 100644 index 0000000000..7912745fe3 --- /dev/null +++ b/.github/workflows/codeql-analysis.yml @@ -0,0 +1,36 @@ +name: "CodeQL" + +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + schedule: + - cron: '30 2 * * 0' + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'ruby' ] + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ${{ matrix.language }} + config-file: ./.github/codeql/codeql-config.yml + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 From 63742cd4804b0004fa537b760c96667885de54d2 Mon Sep 17 00:00:00 2001 From: Issy Long Date: Fri, 15 Apr 2022 15:36:46 +0100 Subject: [PATCH 2/8] dev-cmd/bump-formula-pr: Escape `.`s in hostnames in regexps > This regular expression has an unescaped '.' before 'apache.org/dyn/closer', so it might match more hosts than expected. --- Library/Homebrew/dev-cmd/bump-formula-pr.rb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Library/Homebrew/dev-cmd/bump-formula-pr.rb b/Library/Homebrew/dev-cmd/bump-formula-pr.rb index a463a48f53..f0a6d3a555 100644 --- a/Library/Homebrew/dev-cmd/bump-formula-pr.rb +++ b/Library/Homebrew/dev-cmd/bump-formula-pr.rb @@ -383,13 +383,13 @@ module Homebrew def determine_mirror(url) case url - when %r{.*ftp.gnu.org/gnu.*} + when %r{.*ftp\.gnu\.org/gnu.*} url.sub "ftp.gnu.org/gnu", "ftpmirror.gnu.org" - when %r{.*download.savannah.gnu.org/*} + when %r{.*download\.savannah\.gnu\.org/*} url.sub "download.savannah.gnu.org", "download-mirror.savannah.gnu.org" - when %r{.*www.apache.org/dyn/closer.lua\?path=.*} + when %r{.*www\.apache\.org/dyn/closer\.lua\?path=.*} url.sub "www.apache.org/dyn/closer.lua?path=", "archive.apache.org/dist/" - when %r{.*mirrors.ocf.berkeley.edu/debian.*} + when %r{.*mirrors\.ocf\.berkeley\.edu/debian.*} url.sub "mirrors.ocf.berkeley.edu/debian", "mirrorservice.org/sites/ftp.debian.org/debian" end end From ffe0c18b2a10b8bc6369b2095a556fcb1ad4135c Mon Sep 17 00:00:00 2001 From: Issy Long Date: Fri, 15 Apr 2022 15:46:36 +0100 Subject: [PATCH 3/8] rubocops/homepage: Escape `.`s in hostnames in regexps --- Library/Homebrew/rubocops/homepage.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Library/Homebrew/rubocops/homepage.rb b/Library/Homebrew/rubocops/homepage.rb index 99ad64ffd0..69a8d7a5a6 100644 --- a/Library/Homebrew/rubocops/homepage.rb +++ b/Library/Homebrew/rubocops/homepage.rb @@ -70,12 +70,12 @@ module RuboCop when # Check for http:// GitHub homepage URLs, https:// is preferred. # Note: only check homepages that are repo pages, not *.github.com hosts - %r{^http://github.com/}, + %r{^http://github\.com/}, %r{^http://[^/]*\.github\.io/}, # Savannah has full SSL/TLS support but no auto-redirect. # Doesn't apply to the download URLs, only the homepage. - %r{^http://savannah.nongnu.org/}, + %r{^http://savannah\.nongnu\.org/}, %r{^http://[^/]*\.sourceforge\.io/}, # There's an auto-redirect here, but this mistake is incredibly common too. From aa36b343cab9a998d6e5359df8921200ba37ba3f Mon Sep 17 00:00:00 2001 From: Issy Long Date: Fri, 15 Apr 2022 16:39:14 +0100 Subject: [PATCH 4/8] rubocops/urls: Escape `.`s in hostnames in regexps --- Library/Homebrew/rubocops/urls.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Library/Homebrew/rubocops/urls.rb b/Library/Homebrew/rubocops/urls.rb index 963dc1980f..dfabc03859 100644 --- a/Library/Homebrew/rubocops/urls.rb +++ b/Library/Homebrew/rubocops/urls.rb @@ -21,7 +21,7 @@ module RuboCop end # GNU URLs; doesn't apply to mirrors - gnu_pattern = %r{^(?:https?|ftp)://ftpmirror.gnu.org/(.*)} + gnu_pattern = %r{^(?:https?|ftp)://ftpmirror\.gnu\.org/(.*)} audit_urls(urls, gnu_pattern) do |match, url| problem "Please use \"https://ftp.gnu.org/gnu/#{match[1]}\" instead of #{url}." end @@ -267,13 +267,13 @@ module RuboCop urls += mirrors # Check pypi URLs - pypi_pattern = %r{^https?://pypi.python.org/} + pypi_pattern = %r{^https?://pypi\.python\.org/} audit_urls(urls, pypi_pattern) do |_, url| problem "use the `Source` url found on PyPI downloads page (`#{get_pypi_url(url)}`)" end # Require long files.pythonhosted.org URLs - pythonhosted_pattern = %r{^https?://files.pythonhosted.org/packages/source/} + pythonhosted_pattern = %r{^https?://files\.pythonhosted\.org/packages/source/} audit_urls(urls, pythonhosted_pattern) do |_, url| problem "use the `Source` url found on PyPI downloads page (`#{get_pypi_url(url)}`)" end From f8d9a5c2db98a6a9e4931e036816884f331eb1a8 Mon Sep 17 00:00:00 2001 From: Issy Long Date: Fri, 15 Apr 2022 16:36:58 +0100 Subject: [PATCH 5/8] rubocops/urls: In regexps, only allow valid hostname characters > This regular expression has an unrestricted wildcard '.*' which may cause 'googlecode\.com/files' to be matched anywhere in the URL, outside the hostname. --- Library/Homebrew/rubocops/urls.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Library/Homebrew/rubocops/urls.rb b/Library/Homebrew/rubocops/urls.rb index dfabc03859..67860051d4 100644 --- a/Library/Homebrew/rubocops/urls.rb +++ b/Library/Homebrew/rubocops/urls.rb @@ -177,7 +177,7 @@ module RuboCop end # Check for new-url Google Code download URLs, https:// is preferred - google_code_pattern = Regexp.union([%r{^http://.*\.googlecode\.com/files.*}, + google_code_pattern = Regexp.union([%r{^http://[A-Za-z0-9\-.]*\.googlecode\.com/files.*}, %r{^http://code\.google\.com/}]) audit_urls(urls, google_code_pattern) do |_, url| problem "Please use https:// for #{url}" From 94d8bd5d32eea10053038b5a871c125fb959ef20 Mon Sep 17 00:00:00 2001 From: Issy Long Date: Fri, 15 Apr 2022 16:23:54 +0100 Subject: [PATCH 6/8] download_strategy: In regexps, only allow valid hostname characters > This regular expression has an unrestricted wildcard '.+?' which may cause 'googlecode\.com/svn' to be matched anywhere in the URL, outside the hostname. --- Library/Homebrew/download_strategy.rb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Library/Homebrew/download_strategy.rb b/Library/Homebrew/download_strategy.rb index bef5ab5300..5498bb662f 100644 --- a/Library/Homebrew/download_strategy.rb +++ b/Library/Homebrew/download_strategy.rb @@ -1404,18 +1404,18 @@ class DownloadStrategyDetector when %r{^https?://www\.apache\.org/dyn/closer\.cgi}, %r{^https?://www\.apache\.org/dyn/closer\.lua} CurlApacheMirrorDownloadStrategy - when %r{^https?://(.+?\.)?googlecode\.com/svn}, + when %r{^https?://([A-Za-z0-9\-.]+\.)?googlecode\.com/svn}, %r{^https?://svn\.}, %r{^svn://}, %r{^svn\+http://}, %r{^http://svn\.apache\.org/repos/}, - %r{^https?://(.+?\.)?sourceforge\.net/svnroot/} + %r{^https?://([A-Za-z0-9\-.]+\.)?sourceforge\.net/svnroot/} SubversionDownloadStrategy when %r{^cvs://} CVSDownloadStrategy when %r{^hg://}, - %r{^https?://(.+?\.)?googlecode\.com/hg}, - %r{^https?://(.+?\.)?sourceforge\.net/hgweb/} + %r{^https?://([A-Za-z0-9\-.]+\.)?googlecode\.com/hg}, + %r{^https?://([A-Za-z0-9\-.]+\.)?sourceforge\.net/hgweb/} MercurialDownloadStrategy when %r{^bzr://} BazaarDownloadStrategy From 0016baa1cd8b3474be6c4fc06a8896a1319f1b5e Mon Sep 17 00:00:00 2001 From: Issy Long Date: Fri, 15 Apr 2022 17:36:18 +0100 Subject: [PATCH 7/8] workflows/codeql: Don't run on schedule, and no need for a matrix - These were the defaults generated when I clicked the "enable Code Scanning" button on GitHub, but... - Since we only have Ruby in this repo, we don't need a matrix, we can just specify `languages: ruby`. - And this repo gets enough usage that the schedule is not very useful - who would look at the scheduled run vs. it running every day on PRs? --- .github/workflows/codeql-analysis.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 7912745fe3..22ed3f7d07 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -5,8 +5,6 @@ on: branches: [ master ] pull_request: branches: [ master ] - schedule: - - cron: '30 2 * * 0' jobs: analyze: @@ -19,8 +17,6 @@ jobs: strategy: fail-fast: false - matrix: - language: [ 'ruby' ] steps: - name: Checkout repository @@ -29,7 +25,7 @@ jobs: - name: Initialize CodeQL uses: github/codeql-action/init@v2 with: - languages: ${{ matrix.language }} + languages: ruby config-file: ./.github/codeql/codeql-config.yml - name: Perform CodeQL Analysis From 6dd6758824e48ef041536bde43d32657aa11bdc7 Mon Sep 17 00:00:00 2001 From: Issy Long Date: Mon, 18 Apr 2022 13:06:51 +0100 Subject: [PATCH 8/8] workflows/codeql: Improve branch triggers and remove `fail-fast` Co-authored-by: Mike McQuaid --- .github/workflows/codeql-analysis.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 22ed3f7d07..371605a34f 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -2,9 +2,11 @@ name: "CodeQL" on: push: - branches: [ master ] + branches: + - master pull_request: - branches: [ master ] + branches: + - master jobs: analyze: @@ -15,9 +17,6 @@ jobs: contents: read security-events: write - strategy: - fail-fast: false - steps: - name: Checkout repository uses: actions/checkout@v3