Show warning when Pod source uses unencrypted HTTP

c70f430b · Felix Krause · dfaa7cb1 · c70f430b · c70f430b · c70f430b
Commit c70f430b authored Dec 19, 2017 by Felix Krause
Showing with 35 additions and 1 deletion

CHANGELOG.md CHANGELOG.md +3 -1

pod_source_installer.rb lib/cocoapods/installer/pod_source_installer.rb +16 -0

pod_source_installer_spec.rb spec/unit/installer/pod_source_installer_spec.rb +16 -0

No files found.
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,7 +8,9 @@ To install release candidates run `[sudo] gem install cocoapods --pre`

 ##### Enhancements

-* None.  
+* Show warning when Pod source uses unencrypted HTTP  
+  [KrauseFx](https://github.com/KrauseFx)
+  [#7238](https://github.com/CocoaPods/CocoaPods/issues/7238)

 ##### Bug Fixes


--- a/lib/cocoapods/installer/pod_source_installer.rb
+++ b/lib/cocoapods/installer/pod_source_installer.rb
@@ -117,6 +117,7 @@ module Pod
      # @return [void]
      #
      def download_source
+        verify_source_is_secure(root_spec)
        download_result = Downloader.download(download_request, root, :can_cache => can_cache?)

        if (@specific_source = download_result.checkout_options) && specific_source != root_spec.source
@@ -124,6 +125,21 @@ module Pod
        end
      end

+      # Verify the source of the spec is secure, which is used to
+      # show a warning to the user if that isn't the case
+      # This method doesn't verify all protocols, but currently
+      # only prohibits unencrypted http:// connections
+      #
+      def verify_source_is_secure(root_spec)
+        return if root_spec.source.nil? || root_spec.source[:http].nil?
+        http_source = root_spec.source[:http]
+        return if http_source.downcase.start_with?('https://')
+
+        UI.warn "'#{root_spec.name}' uses the unencrypted http protocol to transfer the Pod. " \
+                'Please be sure you\'re in a safe network with only trusted hosts in there. ' \
+                'Please reach out to the library author to notify them of this security issue.'
+      end
+
      def download_request
        Downloader::Request.new(
          :spec => root_spec,

--- a/spec/unit/installer/pod_source_installer_spec.rb
+++ b/spec/unit/installer/pod_source_installer_spec.rb
@@ -32,6 +32,22 @@ module Pod
        end
      end

+      it 'does not show warning if the source is encrypted using https' do
+        @spec.source = { :http => 'https://orta.io/sdk.zip' }
+        dummy_response = Pod::Downloader::Response.new
+        Downloader.stubs(:download).returns(dummy_response)
+        @installer.install!
+        UI.warnings.length.should.equal(0)
+      end
+
+      it 'shows a warning if the source is unencrypted (e.g. http)' do
+        @spec.source = { :http => 'http://orta.io/sdk.zip' }
+        dummy_response = Pod::Downloader::Response.new
+        Downloader.stubs(:download).returns(dummy_response)
+        @installer.install!
+        UI.warnings.should.include 'Please reach out to the library author to notify them of this security issue'
+      end
+
      #--------------------------------------#

      describe 'Prepare command' do