diff options
| author | Mike McQuaid | 2017-02-20 11:26:41 +0000 |
|---|---|---|
| committer | GitHub | 2017-02-20 11:26:41 +0000 |
| commit | d24ac0555c6d1df716fa7740827673055d620061 (patch) | |
| tree | 594f825b6e06cb316ac1c17bb1731cf6d1042e35 /Library | |
| parent | fe4b2e97a1bc37a210029b19167e80a059a69720 (diff) | |
| parent | b2dd6bc9b0c765104898d128c455b2f107498399 (diff) | |
| download | brew-d24ac0555c6d1df716fa7740827673055d620061.tar.bz2 | |
Merge pull request #1722 from broder/insecure_audit
Added check for insecure mirror URLs
Diffstat (limited to 'Library')
| -rw-r--r-- | Library/Homebrew/dev-cmd/audit.rb | 40 |
1 files changed, 37 insertions, 3 deletions
diff --git a/Library/Homebrew/dev-cmd/audit.rb b/Library/Homebrew/dev-cmd/audit.rb index 6aeb18749..5ed363f7c 100644 --- a/Library/Homebrew/dev-cmd/audit.rb +++ b/Library/Homebrew/dev-cmd/audit.rb @@ -39,6 +39,7 @@ require "cmd/search" require "cmd/style" require "date" require "blacklist" +require "digest" module Homebrew module_function @@ -670,11 +671,11 @@ class FormulaAuditor %w[Stable Devel HEAD].each do |name| next unless spec = formula.send(name.downcase) - ra = ResourceAuditor.new(spec).audit + ra = ResourceAuditor.new(spec, online: @online).audit problems.concat ra.problems.map { |problem| "#{name}: #{problem}" } spec.resources.each_value do |resource| - ra = ResourceAuditor.new(resource).audit + ra = ResourceAuditor.new(resource, online: @online).audit problems.concat ra.problems.map { |problem| "#{name} resource #{resource.name.inspect}: #{problem}" } @@ -1221,7 +1222,7 @@ class ResourceAuditor attr_reader :problems attr_reader :version, :checksum, :using, :specs, :url, :mirrors, :name - def initialize(resource) + def initialize(resource, options = {}) @name = resource.name @version = resource.version @checksum = resource.checksum @@ -1229,6 +1230,7 @@ class ResourceAuditor @mirrors = resource.mirrors @using = resource.using @specs = resource.specs + @online = options[:online] @problems = [] end @@ -1485,9 +1487,41 @@ class ResourceAuditor next unless u =~ %r{https?://(?:central|repo\d+)\.maven\.org/maven2/(.+)$} problem "#{u} should be `https://search.maven.org/remotecontent?filepath=#{$1}`" end + + return unless @online + urls.each do |url| + check_insecure_mirror(url) if url.start_with? "http:" + end + end + + def check_insecure_mirror(url) + details = get_content_details(url) + secure_url = url.sub "http", "https" + secure_details = get_content_details(secure_url) + + return if !details[:status].start_with?("2") || !secure_details[:status].start_with?("2") + + etag_match = details[:etag] && details[:etag] == secure_details[:etag] + content_length_match = details[:content_length] && details[:content_length] == secure_details[:content_length] + file_match = details[:file_hash] == secure_details[:file_hash] + + return if !etag_match && !content_length_match && !file_match + problem "The URL #{url} could use HTTPS rather than HTTP" end def problem(text) @problems << text end + + def get_content_details(url) + out = {} + output, = curl_output "--connect-timeout", "15", "--include", url + split = output.partition("\r\n\r\n") + headers = split.first + out[:status] = headers[%r{HTTP\/.* (\d+)}, 1] + out[:etag] = headers[%r{ETag: ([wW]\/)?"(([^"]|\\")*)"}, 2] + out[:content_length] = headers[/Content-Length: (\d+)/, 1] + out[:file_hash] = Digest::SHA256.digest split.last + out + end end |