Skip to content

Restrict livecheck redirects#22944

Merged
MikeMcQuaid merged 1 commit into
mainfrom
restrict-livecheck-redirects
Jul 4, 2026
Merged

Restrict livecheck redirects#22944
MikeMcQuaid merged 1 commit into
mainfrom
restrict-livecheck-redirects

Conversation

@MikeMcQuaid

Copy link
Copy Markdown
Member
  • Prevent brew livecheck from following upstream redirects to non-HTTPS targets by default.
  • Keep livecheck content and header fetches aligned so redirect handling does not diverge.
  • Cover the redirect protocol guard with focused regressions.

  • Have you followed our Contributing guidelines?
  • Have you checked for other open Pull Requests for the same change?
  • Have you explained what your changes do? Performance claims (e.g. "this is faster") must include Hyperfine benchmarks.
  • Have you explained why you'd like these changes included, not just what they do?
  • For bug fixes, have you given step-by-step brew commands to reproduce the bug?
  • Have you written new tests (excluding integration tests)? Here's an example.
  • Have you successfully run brew lgtm (style, typechecking and tests) locally?

  • AI was used to generate or assist with generating this PR.

OpenAI Codex 5.5 xhigh with local review and testing.


Copilot AI review requested due to automatic review settings July 4, 2026 13:23

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR tightens brew livecheck network safety by preventing redirect chains from downgrading to non-HTTPS targets, and ensures the same redirect policy is applied consistently across both header and content fetching paths.

Changes:

  • Add HTTPS-only redirect restrictions to livecheck’s curl invocations (via --proto-redir =https) and centralize redirect-related args.
  • Keep page_headers and page_content aligned by reusing the same redirection argument set.
  • Add focused specs to prevent regressions in redirect protocol guarding.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
Library/Homebrew/livecheck/strategy.rb Introduces shared redirect curl args and applies HTTPS-only redirect policy to livecheck fetches.
Library/Homebrew/test/livecheck/strategy_spec.rb Adds regression tests asserting HTTPS-only redirect args are used for both header and content fetches.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread Library/Homebrew/livecheck/strategy.rb
- Prevent `brew livecheck` from following upstream redirects to
  non-HTTPS targets by default.
- Reuse `Utils::Curl` redirect protocol args so the HTTPS-only
  policy remains single-source.
- Cover the redirect protocol guard with focused regressions.
@MikeMcQuaid MikeMcQuaid force-pushed the restrict-livecheck-redirects branch from 0b5ddc5 to dd4ce45 Compare July 4, 2026 13:42
@MikeMcQuaid MikeMcQuaid enabled auto-merge July 4, 2026 13:42
@MikeMcQuaid MikeMcQuaid added this pull request to the merge queue Jul 4, 2026
Merged via the queue into main with commit e56ee46 Jul 4, 2026
41 checks passed
@MikeMcQuaid MikeMcQuaid deleted the restrict-livecheck-redirects branch July 4, 2026 20:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants