Bug#810378: Patch for insecure URIs

Fri, 15 Jan 2016 16:33:29 -0800 

package lintian
tag 810378 patch
thanks

Hi,

I've implemented a check for insecure URIs which warns about plaintext
transports such as http:// or git://.

The patch is against the current HEAD of the git repository.

Regards,
Tobias

From 5e4c365ee094c32ab50c251402207fa1efe4621c Mon Sep 17 00:00:00 2001
From: "Dr. Tobias Quathamer" <to...@debian.org>
Date: Sat, 16 Jan 2016 01:17:29 +0100
Subject: [PATCH] Add test and code for insecure URIs in VCS-* fields

---
 checks/fields.desc                                      | 12 +++++++++++-
 checks/fields.pm                                        | 11 +++++++----
 .../debian/debian/control.in                            | 17 +++++++++++++++++
 t/tests/fields-vcs-field-insecure-uri/desc              |  6 ++++++
 t/tests/fields-vcs-field-insecure-uri/tags              |  2 ++
 5 files changed, 43 insertions(+), 5 deletions(-)
 create mode 100644 t/tests/fields-vcs-field-insecure-uri/debian/debian/control.in
 create mode 100644 t/tests/fields-vcs-field-insecure-uri/desc
 create mode 100644 t/tests/fields-vcs-field-insecure-uri/tags

diff --git a/checks/fields.desc b/checks/fields.desc
index acea0df..13e6cdd 100644
--- a/checks/fields.desc
+++ b/checks/fields.desc
@@ -1108,7 +1108,17 @@ Info: The Vcs-Git field is pointing to a personal repository using
  a git://(git|anonscm).debian.org/~$LOGIN/$PRJ.git style URI.  This is not
  recommended since the repository this points is not automatically updated
  when pushing to the personal repository.  The recommended URI for anonymous
- access is git://anonscm.debian.org/users/$LOGIN/$PRJ.git.
+ access is https://anonscm.debian.org/git/users/$LOGIN/$PRJ.git.
+
+Tag: vcs-field-uses-insecure-uri
+Severity: wishlist
+Certainty: certain
+Info: The Vcs-* field uses an unencrypted transport protocol for the
+ URI.  It is recommended to use a secure transport such as HTTPS for
+ anonymous read-only access.
+ .
+ Note that you can often just exchange e.g. git:// with https:// for
+ repositories.
 
 Tag: lib-recommends-documentation
 Severity: normal
diff --git a/checks/fields.pm b/checks/fields.pm
index 817a176..c057f2f 100644
--- a/checks/fields.pm
+++ b/checks/fields.pm
@@ -169,13 +169,13 @@ my %VCS_CANONIFY = (
             $_[1] = 'vcs-git-uses-invalid-user-uri';
         }
         $_[0] =~ s{\Qhttp://git.debian.org/\E}
-                  {http://anonscm.debian.org/git/};
+                  {https://anonscm.debian.org/git/};
         $_[0] =~ s{\Qhttp://anonscm.debian.org/git/git/\E}
-                  {http://anonscm.debian.org/git/};
+                  {https://anonscm.debian.org/git/};
         $_[0] =~ s{\Qgit://git.debian.org/\E}
-                  {git://anonscm.debian.org/};
+                  {https://anonscm.debian.org/git/};
         $_[0] =~ s{\Qgit://anonscm.debian.org/git/\E}
-                  {git://anonscm.debian.org/};
+                  {https://anonscm.debian.org/git/};
     },
     hg      => sub {
         $_[0] =~ s{\Qhttp://hg.debian.org/\E}
@@ -1292,6 +1292,9 @@ sub run {
                 if (any { $_ and /\s/} @parts) {
                     tag 'vcs-field-has-unexpected-spaces', "vcs-$vcs", $uri;
                 }
+                if ($parts[0] =~ m%^(?:git|http)://%) {
+                    tag 'vcs-field-uses-insecure-uri', "vcs-$vcs", $uri;
+                }
             }
             if ($VCS_CANONIFY{$vcs}) {
                 my $canonicalized = $parts[0];
diff --git a/t/tests/fields-vcs-field-insecure-uri/debian/debian/control.in b/t/tests/fields-vcs-field-insecure-uri/debian/debian/control.in
new file mode 100644
index 0000000..b81b06d
--- /dev/null
+++ b/t/tests/fields-vcs-field-insecure-uri/debian/debian/control.in
@@ -0,0 +1,17 @@
+Source: {$source}
+Priority: extra
+Section: {$section}
+Maintainer: {$author}
+Standards-Version: {$standards_version}
+Build-Depends: debhelper (>= 9)
+Vcs-Browser: http://anonscm.debian.org/git/users/toddy/foobar.git
+Vcs-Git: git://anonscm.debian.org/users/toddy/foobar.git
+
+Package: {$source}
+Architecture: {$architecture}
+Depends: $\{shlibs:Depends\}, $\{misc:Depends\}
+Description: {$description}
+ This is a test package designed to exercise some feature or tag of
+ Lintian.  It is part of the Lintian test suite and may do very odd
+ things.  It should not be installed like a regular package.  It may
+ be an empty package.
diff --git a/t/tests/fields-vcs-field-insecure-uri/desc b/t/tests/fields-vcs-field-insecure-uri/desc
new file mode 100644
index 0000000..86cff61
--- /dev/null
+++ b/t/tests/fields-vcs-field-insecure-uri/desc
@@ -0,0 +1,6 @@
+Testname: fields-vcs-field-insecure-uri
+Sequence: 6000
+Description: Test for VCS-* fields using insecure URIs
+Version: 1.0
+Test-For:
+ vcs-field-uses-insecure-uri
diff --git a/t/tests/fields-vcs-field-insecure-uri/tags b/t/tests/fields-vcs-field-insecure-uri/tags
new file mode 100644
index 0000000..1d4338b
--- /dev/null
+++ b/t/tests/fields-vcs-field-insecure-uri/tags
@@ -0,0 +1,2 @@
+I: fields-vcs-field-insecure-uri source: vcs-field-uses-insecure-uri vcs-browser http://anonscm.debian.org/git/users/toddy/foobar.git
+I: fields-vcs-field-insecure-uri source: vcs-field-uses-insecure-uri vcs-git git://anonscm.debian.org/users/toddy/foobar.git
-- 
2.5.0

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to