fdroiddata/tools/audit-gradle.py

#!/usr/bin/env python3


import os
import re
import sys

# find all repositories that use plain HTTP urls (e.g. not HTTPS)
url_pattern = re.compile('repositories\s*{[^}]*http://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+[^}]*}', re.DOTALL)

exit_value = 0
for appid in sys.argv:
    gitdir = os.path.join('build', appid)
    if not os.path.isdir(gitdir):
        continue
    for root, dirs, files in os.walk(gitdir):
        for f in files:
            if f.endswith('.gradle'):
                path = os.path.join(root, f)
                with open(path) as fp:
                    data = fp.read()
                for url in url_pattern.findall(data):
                    print('Found plain HTTP URL for gradle repository:\n%s\n%s'
                          % (path, url))
                    exit_value += 1

if exit_value:
    print('gradle build uses plain HTTP URLs for repositories!  This is insecure!')
    print('https://max.computer/blog/how-to-take-over-the-computer-of-any-java-or-clojure-or-scala-developer/')
sys.exit(exit_value)