Skip to content
Projects
Groups
Snippets
Help
Loading...
Sign in
Toggle navigation
C
cocoapods
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
gengmeiios
cocoapods
Commits
c70f430b
Commit
c70f430b
authored
Dec 19, 2017
by
Felix Krause
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Show warning when Pod source uses unencrypted HTTP
parent
dfaa7cb1
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
35 additions
and
1 deletion
+35
-1
CHANGELOG.md
CHANGELOG.md
+3
-1
pod_source_installer.rb
lib/cocoapods/installer/pod_source_installer.rb
+16
-0
pod_source_installer_spec.rb
spec/unit/installer/pod_source_installer_spec.rb
+16
-0
No files found.
CHANGELOG.md
View file @
c70f430b
...
@@ -8,7 +8,9 @@ To install release candidates run `[sudo] gem install cocoapods --pre`
...
@@ -8,7 +8,9 @@ To install release candidates run `[sudo] gem install cocoapods --pre`
##### Enhancements
##### Enhancements
*
None.
*
Show warning when Pod source uses unencrypted HTTP
[
KrauseFx
](
https://github.com/KrauseFx
)
[
#7238
](
https://github.com/CocoaPods/CocoaPods/issues/7238
)
##### Bug Fixes
##### Bug Fixes
...
...
lib/cocoapods/installer/pod_source_installer.rb
View file @
c70f430b
...
@@ -117,6 +117,7 @@ module Pod
...
@@ -117,6 +117,7 @@ module Pod
# @return [void]
# @return [void]
#
#
def
download_source
def
download_source
verify_source_is_secure
(
root_spec
)
download_result
=
Downloader
.
download
(
download_request
,
root
,
:can_cache
=>
can_cache?
)
download_result
=
Downloader
.
download
(
download_request
,
root
,
:can_cache
=>
can_cache?
)
if
(
@specific_source
=
download_result
.
checkout_options
)
&&
specific_source
!=
root_spec
.
source
if
(
@specific_source
=
download_result
.
checkout_options
)
&&
specific_source
!=
root_spec
.
source
...
@@ -124,6 +125,21 @@ module Pod
...
@@ -124,6 +125,21 @@ module Pod
end
end
end
end
# Verify the source of the spec is secure, which is used to
# show a warning to the user if that isn't the case
# This method doesn't verify all protocols, but currently
# only prohibits unencrypted http:// connections
#
def
verify_source_is_secure
(
root_spec
)
return
if
root_spec
.
source
.
nil?
||
root_spec
.
source
[
:http
].
nil?
http_source
=
root_spec
.
source
[
:http
]
return
if
http_source
.
downcase
.
start_with?
(
'https://'
)
UI
.
warn
"'
#{
root_spec
.
name
}
' uses the unencrypted http protocol to transfer the Pod. "
\
'Please be sure you\'re in a safe network with only trusted hosts in there. '
\
'Please reach out to the library author to notify them of this security issue.'
end
def
download_request
def
download_request
Downloader
::
Request
.
new
(
Downloader
::
Request
.
new
(
:spec
=>
root_spec
,
:spec
=>
root_spec
,
...
...
spec/unit/installer/pod_source_installer_spec.rb
View file @
c70f430b
...
@@ -32,6 +32,22 @@ module Pod
...
@@ -32,6 +32,22 @@ module Pod
end
end
end
end
it
'does not show warning if the source is encrypted using https'
do
@spec
.
source
=
{
:http
=>
'https://orta.io/sdk.zip'
}
dummy_response
=
Pod
::
Downloader
::
Response
.
new
Downloader
.
stubs
(
:download
).
returns
(
dummy_response
)
@installer
.
install!
UI
.
warnings
.
length
.
should
.
equal
(
0
)
end
it
'shows a warning if the source is unencrypted (e.g. http)'
do
@spec
.
source
=
{
:http
=>
'http://orta.io/sdk.zip'
}
dummy_response
=
Pod
::
Downloader
::
Response
.
new
Downloader
.
stubs
(
:download
).
returns
(
dummy_response
)
@installer
.
install!
UI
.
warnings
.
should
.
include
'Please reach out to the library author to notify them of this security issue'
end
#--------------------------------------#
#--------------------------------------#
describe
'Prepare command'
do
describe
'Prepare command'
do
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment