admin/brew
1
0
Fork 0
Code Issues Packages Projects Releases 6 Wiki Activity

Merge pull request #1722 from broder/insecure_audit

Browse Source 
Added check for insecure mirror URLs
This commit is contained in:
Mike McQuaid 2017-02-20 11:26:41 +00:00 committed by GitHub
commit d24ac0555c
1 changed files with 37 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
Library/Homebrew/dev-cmd/audit.rb
View File

@ -39,6 +39,7 @@ require "cmd/search"
require "cmd/style" require "cmd/style"
require "date" require "date"
require "blacklist" require "blacklist"
require "digest"
module Homebrew module Homebrew
module_function module_function
@ -670,11 +671,11 @@ class FormulaAuditor
%w[Stable Devel HEAD].each do |name| %w[Stable Devel HEAD].each do |name|
next unless spec = formula.send(name.downcase) next unless spec = formula.send(name.downcase)
ra = ResourceAuditor.new(spec).audit ra = ResourceAuditor.new(spec, online: @online).audit
problems.concat ra.problems.map { |problem| "#{name}: #{problem}" } problems.concat ra.problems.map { |problem| "#{name}: #{problem}" }
spec.resources.each_value do |resource| spec.resources.each_value do |resource|
ra = ResourceAuditor.new(resource).audit ra = ResourceAuditor.new(resource, online: @online).audit
problems.concat ra.problems.map { |problem| problems.concat ra.problems.map { |problem|
"#{name} resource #{resource.name.inspect}: #{problem}" "#{name} resource #{resource.name.inspect}: #{problem}"
} }
@ -1221,7 +1222,7 @@ class ResourceAuditor
attr_reader :problems attr_reader :problems
attr_reader :version, :checksum, :using, :specs, :url, :mirrors, :name attr_reader :version, :checksum, :using, :specs, :url, :mirrors, :name
def initialize(resource) def initialize(resource, options = {})
@name = resource.name @name = resource.name
@version = resource.version @version = resource.version
@checksum = resource.checksum @checksum = resource.checksum
@ -1229,6 +1230,7 @@ class ResourceAuditor
@mirrors = resource.mirrors @mirrors = resource.mirrors
@using = resource.using @using = resource.using
@specs = resource.specs @specs = resource.specs
@online = options[:online]
@problems = [] @problems = []
end end
@ -1485,9 +1487,41 @@ class ResourceAuditor
next unless u =~ %r{https?://(?:central|repo\d+)\.maven\.org/maven2/(.+)$} next unless u =~ %r{https?://(?:central|repo\d+)\.maven\.org/maven2/(.+)$}
problem "#{u} should be `https://search.maven.org/remotecontent?filepath=#{$1}`" problem "#{u} should be `https://search.maven.org/remotecontent?filepath=#{$1}`"
end end
return unless @online
urls.each do |url|
check_insecure_mirror(url) if url.start_with? "http:"
end
end
def check_insecure_mirror(url)
details = get_content_details(url)
secure_url = url.sub "http", "https"
secure_details = get_content_details(secure_url)
return if !details[:status].start_with?("2") || !secure_details[:status].start_with?("2")
etag_match = details[:etag] && details[:etag] == secure_details[:etag]
content_length_match = details[:content_length] && details[:content_length] == secure_details[:content_length]
file_match = details[:file_hash] == secure_details[:file_hash]
return if !etag_match && !content_length_match && !file_match
problem "The URL #{url} could use HTTPS rather than HTTP"
end end
def problem(text) def problem(text)
@problems << text @problems << text
end end
def get_content_details(url)
out = {}
output, = curl_output "--connect-timeout", "15", "--include", url
split = output.partition("\r\n\r\n")
headers = split.first
out[:status] = headers[%r{HTTP\/.* (\d+)}, 1]
out[:etag] = headers[%r{ETag: ([wW]\/)?"(([^"]|\\")*)"}, 2]
out[:content_length] = headers[/Content-Length: (\d+)/, 1]
out[:file_hash] = Digest::SHA256.digest split.last
out
end
end end