gitlab-ci: error if apps use insecure plain HTTP gradle repositories

It is very easy to mess up and include plain HTTP URLs for gradle
repositories, which can lead to gradle downloading code from HTTP and
immediately executing it.  The fix is almost always changing "http:" to
"https:".

https://max.computer/blog/how-to-take-over-the-computer-of-any-java-or-clojure-or-scala-developer
This commit is contained in:
Hans-Christoph Steiner 2018-01-22 12:07:11 +01:00
parent fed1acd8f6
commit d6e81e47bb
2 changed files with 31 additions and 0 deletions

View file

@ -18,6 +18,7 @@ lint:
export CHANGED="$CHANGED $appid"; export CHANGED="$CHANGED $appid";
grep -q "^Repo *Type\W *git" $f && git -C build clone `sed -n "s,^Repo *:,,p" $f` $appid; grep -q "^Repo *Type\W *git" $f && git -C build clone `sed -n "s,^Repo *:,,p" $f` $appid;
done; done;
./tools/audit-gradle.py $CHANGED;
fi fi
- export EXITVALUE=0 - export EXITVALUE=0
- fdroid lint -f $CHANGED || { - fdroid lint -f $CHANGED || {

30
tools/audit-gradle.py Executable file
View file

@ -0,0 +1,30 @@
#!/usr/bin/env python3
import os
import re
import sys
# find all repositories that use plain HTTP urls (e.g. not HTTPS)
url_pattern = re.compile('repositories\s*{[^}]*http://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+[^}]*}', re.DOTALL)
exit_value = 0
for appid in sys.argv:
gitdir = os.path.join('build', appid)
if not os.path.isdir(gitdir):
continue
for root, dirs, files in os.walk(gitdir):
for f in files:
if f.endswith('.gradle'):
path = os.path.join(root, f)
with open(path) as fp:
data = fp.read()
for url in url_pattern.findall(data):
print('Found plain HTTP URL for gradle repository:\n%s\n%s'
% (path, url))
exit_value += 1
if exit_value:
print('gradle build uses plain HTTP URLs for repositories! This is insecure!')
print('https://max.computer/blog/how-to-take-over-the-computer-of-any-java-or-clojure-or-scala-developer/')
sys.exit(exit_value)