Do not warn when http source uses `file:///` URI scheme

2246d7cb · Dimitris Koutsogiorgas · 34a88f71 · 2246d7cb · 2246d7cb · 2246d7cb
Commit 2246d7cb authored Feb 26, 2018 by Dimitris Koutsogiorgas
5 changed files
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -89,6 +89,10 @@ To install release candidates run `[sudo] gem install cocoapods --pre`
 * Stop adding header search paths that do not contain any headers.  
  [Samuel Giddins](https://github.com/segiddins)

+* Do not warn when http source uses `file:///` URI scheme  
+  [Dimitris Koutsogiorgas](https://github.com/dnkoutso)
+  [#7460](https://github.com/CocoaPods/CocoaPods/issues/7460)
+
 ## 1.4.0 (2018-01-18)

 ##### Enhancements

--- a/lib/cocoapods/installer/pod_source_installer.rb
+++ b/lib/cocoapods/installer/pod_source_installer.rb
@@ -132,9 +132,8 @@ module Pod
      #
      def verify_source_is_secure(root_spec)
        return if root_spec.source.nil? || root_spec.source[:http].nil?
-        http_source = root_spec.source[:http]
-        return if http_source.downcase.start_with?('https://')
-
+        http_source = URI(root_spec.source[:http])
+        return if http_source.scheme == 'https' || http_source.scheme == 'file'
        UI.warn "'#{root_spec.name}' uses the unencrypted http protocol to transfer the Pod. " \
                'Please be sure you\'re in a safe network with only trusted hosts in there. ' \
                'Please reach out to the library author to notify them of this security issue.'

--- a/lib/cocoapods/validator.rb
+++ b/lib/cocoapods/validator.rb
@@ -398,8 +398,8 @@ module Pod
    #
    def validate_source_url(spec)
      return if spec.source.nil? || spec.source[:http].nil?
-      url = spec.source[:http]
-      return if url.downcase.start_with?('https://')
+      url = URI(spec.source[:http])
+      return if url.scheme == 'https' || url.scheme == 'file'
      warning('http', "The URL (`#{url}`) doesn't use the encrypted HTTPs protocol. " \
              'It is crucial for Pods to be transferred over a secure protocol to protect your users from man-in-the-middle attacks. '\
              'This will be an error in future releases. Please update the URL to use https.')

--- a/spec/unit/installer/pod_source_installer_spec.rb
+++ b/spec/unit/installer/pod_source_installer_spec.rb
@@ -40,6 +40,14 @@ module Pod
        UI.warnings.length.should.equal(0)
      end

+      it 'does not show warning if the source uses file:///' do
+        @spec.source = { :http => 'file:///orta.io/sdk.zip' }
+        dummy_response = Pod::Downloader::Response.new
+        Downloader.stubs(:download).returns(dummy_response)
+        @installer.install!
+        UI.warnings.length.should.equal(0)
+      end
+
      it 'shows a warning if the source is unencrypted (e.g. http)' do
        @spec.source = { :http => 'http://orta.io/sdk.zip' }
        dummy_response = Pod::Downloader::Response.new

--- a/spec/unit/validator_spec.rb
+++ b/spec/unit/validator_spec.rb
@@ -259,7 +259,7 @@ module Pod
          end
        end

-        describe 'documentation URL validation' do
+        describe 'source URL validation' do
          before do
            @validator.unstub(:validate_source_url)
          end
@@ -275,9 +275,15 @@ module Pod
            @validator.validate
            @validator.results.map(&:to_s).first.should.match /use the encrypted HTTPs protocol./
          end
+
+          it 'should not fail validation if the source URL is using file:///' do
+            Specification.any_instance.stubs(:source).returns(:http => 'file:///orta.io/package.zip')
+            @validator.validate
+            @validator.results.should.be.empty?
+          end
        end

-        describe 'source URL validation' do
+        describe 'documentation URL validation' do
          before do
            @validator.unstub(:validate_documentation_url)
          end