fdroiddata/tools/audit-gradle.py
Hans-Christoph Steiner d6e81e47bb gitlab-ci: error if apps use insecure plain HTTP gradle repositories
It is very easy to mess up and include plain HTTP URLs for gradle
repositories, which can lead to gradle downloading code from HTTP and
immediately executing it.  The fix is almost always changing "http:" to
"https:".

https://max.computer/blog/how-to-take-over-the-computer-of-any-java-or-clojure-or-scala-developer
2018-01-26 13:41:41 +01:00

31 lines
1 KiB
Python
Executable file

#!/usr/bin/env python3
import os
import re
import sys
# find all repositories that use plain HTTP urls (e.g. not HTTPS)
url_pattern = re.compile('repositories\s*{[^}]*http://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+[^}]*}', re.DOTALL)
exit_value = 0
for appid in sys.argv:
gitdir = os.path.join('build', appid)
if not os.path.isdir(gitdir):
continue
for root, dirs, files in os.walk(gitdir):
for f in files:
if f.endswith('.gradle'):
path = os.path.join(root, f)
with open(path) as fp:
data = fp.read()
for url in url_pattern.findall(data):
print('Found plain HTTP URL for gradle repository:\n%s\n%s'
% (path, url))
exit_value += 1
if exit_value:
print('gradle build uses plain HTTP URLs for repositories! This is insecure!')
print('https://max.computer/blog/how-to-take-over-the-computer-of-any-java-or-clojure-or-scala-developer/')
sys.exit(exit_value)