Merge pull request #7462 from dnkoutso/file_uri_scheme_fix

Do not warn when http source uses `file:///` URI scheme

CHANGELOG.md

@@ -89,6 +89,10 @@ To install release candidates run `[sudo] gem install cocoapods --pre`
 * Stop adding header search paths that do not contain any headers.  
   [Samuel Giddins](https://github.com/segiddins)
 
+* Do not warn when http source uses `file:///` URI scheme  
+  [Dimitris Koutsogiorgas](https://github.com/dnkoutso)
+  [#7460](https://github.com/CocoaPods/CocoaPods/issues/7460)
+
 ## 1.4.0 (2018-01-18)
 
 ##### Enhancements

lib/cocoapods/installer/pod_source_installer.rb

@@ -132,9 +132,8 @@ module Pod
       #
       def verify_source_is_secure(root_spec)
         return if root_spec.source.nil? || root_spec.source[:http].nil?
-        http_source = root_spec.source[:http]
-        return if http_source.downcase.start_with?('https://')
-
+        http_source = URI(root_spec.source[:http])
+        return if http_source.scheme == 'https' || http_source.scheme == 'file'
         UI.warn "'#{root_spec.name}' uses the unencrypted http protocol to transfer the Pod. " \
                 'Please be sure you\'re in a safe network with only trusted hosts in there. ' \
                 'Please reach out to the library author to notify them of this security issue.'

lib/cocoapods/validator.rb

@@ -398,8 +398,8 @@ module Pod
     #
     def validate_source_url(spec)
       return if spec.source.nil? || spec.source[:http].nil?
-      url = spec.source[:http]
-      return if url.downcase.start_with?('https://')
+      url = URI(spec.source[:http])
+      return if url.scheme == 'https' || url.scheme == 'file'
       warning('http', "The URL (`#{url}`) doesn't use the encrypted HTTPs protocol. " \
               'It is crucial for Pods to be transferred over a secure protocol to protect your users from man-in-the-middle attacks. '\
               'This will be an error in future releases. Please update the URL to use https.')

spec/unit/installer/pod_source_installer_spec.rb

@@ -40,6 +40,14 @@ module Pod
         UI.warnings.length.should.equal(0)
       end
 
+      it 'does not show warning if the source uses file:///' do
+        @spec.source = { :http => 'file:///orta.io/sdk.zip' }
+        dummy_response = Pod::Downloader::Response.new
+        Downloader.stubs(:download).returns(dummy_response)
+        @installer.install!
+        UI.warnings.length.should.equal(0)
+      end
+
       it 'shows a warning if the source is unencrypted (e.g. http)' do
         @spec.source = { :http => 'http://orta.io/sdk.zip' }
         dummy_response = Pod::Downloader::Response.new

spec/unit/validator_spec.rb

@@ -259,7 +259,7 @@ module Pod
           end
         end
 
-        describe 'documentation URL validation' do
+        describe 'source URL validation' do
           before do
             @validator.unstub(:validate_source_url)
           end
@@ -275,9 +275,15 @@ module Pod
             @validator.validate
             @validator.results.map(&:to_s).first.should.match /use the encrypted HTTPs protocol./
           end
+
+          it 'should not fail validation if the source URL is using file:///' do
+            Specification.any_instance.stubs(:source).returns(:http => 'file:///orta.io/package.zip')
+            @validator.validate
+            @validator.results.should.be.empty?
+          end
         end
 
-        describe 'source URL validation' do
+        describe 'documentation URL validation' do
           before do
             @validator.unstub(:validate_documentation_url)
           end