Merge pull request #7250 from KrauseFx/patch-1

Show warning when SDK provider tries to push a version with an unencrypted HTTP source

Merge pull request #7250 from KrauseFx/patch-1
Show warning when SDK provider tries to push a version with an unencrypted HTTP source
33a29513 · Dimitris Koutsogiorgas · GitHub · 93b62fd5 · 24253103 · 33a29513
Unverified Commit 33a29513 authored Dec 05, 2017 by Dimitris Koutsogiorgas Committed by GitHub Dec 05, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 35 additions and 0 deletions

CHANGELOG.md CHANGELOG.md +4 -0

validator.rb lib/cocoapods/validator.rb +12 -0

validator_spec.rb spec/unit/validator_spec.rb +19 -0

No files found.
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -20,6 +20,10 @@ To install release candidates run `[sudo] gem install cocoapods --pre`
  [Eric Amorde](https://github.com/amorde)
  [#7093](https://github.com/CocoaPods/CocoaPods/pull/7093)

+* Show warning when SDK provider tries to push a version with an unencrypted HTTP source  
+  [KrauseFx](https://github.com/KrauseFx)
+  [#7250](https://github.com/CocoaPods/CocoaPods/pull/7250)
+
 ##### Bug Fixes

 * Quote framework names in OTHER_LDFLAGS  

--- a/lib/cocoapods/validator.rb
+++ b/lib/cocoapods/validator.rb
@@ -307,6 +307,7 @@ module Pod
      validate_screenshots(spec)
      validate_social_media_url(spec)
      validate_documentation_url(spec)
+      validate_source_url(spec)

      valid = spec.available_platforms.send(fail_fast ? :all? : :each) do |platform|
        UI.message "\n\n#{spec} - Analyzing on #{platform} platform.".green.reversed
@@ -393,6 +394,17 @@ module Pod
      validate_url(spec.documentation_url) if spec.documentation_url
    end

+    # Performs validations related to the `source` -> `http` attribute (if exists)
+    #
+    def validate_source_url(spec)
+      return if spec.source.nil? || spec.source[:http].nil?
+      url = spec.source[:http]
+      return if url.downcase.start_with?('https://')
+      warning('http', "The URL (`#{url}`) doesn't use the encrypted HTTPs protocol. " \
+              'It is crucial for Pods to be transferred over a secure protocol to protect your users from man-in-the-middle attacks. '\
+              'This will be an error in future releases. Please update the URL to use https.')
+    end
+
    # Performs validation for which version of Swift is used during validation.
    #
    # An error will be displayed if the user has provided a `swift_version` attribute within the podspec but is also

--- a/spec/unit/validator_spec.rb
+++ b/spec/unit/validator_spec.rb
@@ -139,6 +139,7 @@ module Pod
          @validator.stubs(:validate_screenshots)
          @validator.stubs(:validate_social_media_url)
          @validator.stubs(:validate_documentation_url)
+          @validator.stubs(:validate_source_url)
          @validator.stubs(:perform_extensive_subspec_analysis)
          Specification.any_instance.stubs(:available_platforms).returns([])

@@ -259,6 +260,24 @@ module Pod
        end

        describe 'documentation URL validation' do
+          before do
+            @validator.unstub(:validate_source_url)
+          end
+
+          it 'checks if the source URL is valid' do
+            Specification.any_instance.stubs(:source).returns(:http => 'https://orta.io/package.zip')
+            @validator.validate
+            @validator.results.should.be.empty?
+          end
+
+          it 'should fail validation if the source URL is not HTTPs encrypted' do
+            Specification.any_instance.stubs(:source).returns(:http => 'http://orta.io/package.zip')
+            @validator.validate
+            @validator.results.map(&:to_s).first.should.match /use the encrypted HTTPs protocol./
+          end
+        end
+
+        describe 'source URL validation' do
          before do
            @validator.unstub(:validate_documentation_url)
          end