New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

gem 'gem_name', github: 'author/gem_name' produces insecure source URI #3324

Closed
vassilevsky opened this Issue Dec 25, 2014 · 11 comments

Comments

Projects
None yet
6 participants
@vassilevsky
Contributor

vassilevsky commented Dec 25, 2014

Hello :)

I ran bundle-audit (https://github.com/rubysec/bundler-audit) against my app. It warned me about an insecure source URI for a gem. I examined my Gemfile and saw that I used the github: 'author/gem_name' option for this gem. As a result, Gemfile.lock had remote: git://github.com/author/gem_name.git. According to bundle-audit, it was insecure. I believe the corresponding check is here:

https://github.com/rubysec/bundler-audit/blob/master/lib/bundler/audit/scanner.rb#L72

I changed gem source to git: 'https://github.com/author/gem_name'. Ran bundle. The URI in Gemfile.lock changed to remote: https://github.com/inossidabile/wash_out. I ran bundle-audit again. All was clear.

Should I make changes to Bundler for it to use the secure URI by default?

Thanks!

@TimMoore

This comment has been minimized.

Member

TimMoore commented Dec 25, 2014

Hi @vassilevsky. Thanks for your offer to change this. We already have this change made on the 2-0-dev branch (see https://github.com/bundler/bundler/blob/2-0-dev/lib/bundler/dsl.rb#L233) but we can't change it in the 1.x series, because it breaks backward compatibility. Specifically, changing the URL in the lock file can break some deployment scenarios.

You can search in this issue tracker for a more detailed discussion... this has come up several times before.

@TimMoore TimMoore closed this Dec 25, 2014

@vassilevsky

This comment has been minimized.

Contributor

vassilevsky commented Dec 25, 2014

Thank you for the info. I did search issues and found nothing. I think my search sillz ain't that mad :(

@simi

This comment has been minimized.

Contributor

simi commented Dec 25, 2014

@indirect

This comment has been minimized.

Member

indirect commented Dec 25, 2014

@vassilevsky @simi I'm open to a pull request that adds a config flag to switch github to https, while we are waiting for 2.0 to be ready.

@TimMoore

This comment has been minimized.

Member

TimMoore commented Dec 26, 2014

I think a config flag might be kind of a hassle, because it would be easy to end up with a mismatch between development and production (or different development machines for that matter).

Now that you can define custom git source shortcuts, you can override the definition in the Gemfile, which I think is a better way to do it. We might want to consider changing the default Gemfile template to include the https override by default.

@simi

This comment has been minimized.

Contributor

simi commented Dec 26, 2014

@TimMoore We are on the same page.

Something similar to example below on top of the Gemfile should solve your problem for now @vassilevsky.

git_source(:github) do |repo_name|
  repo_name = "#{repo_name}/#{repo_name}" unless repo_name.include?("/")
  opts["git"] = "https://github.com/#{repo_name}.git"
end

You can find more informations in documentation in "Custom git sources" and "Security" sections.

@TimMoore

This comment has been minimized.

Member

TimMoore commented Dec 26, 2014

@vassilevsky here are some of the previous issues/pull requests where this has been discussed:

@weakish

This comment has been minimized.

weakish commented Jan 2, 2015

@simi Why opts["git"]? bundler.io/git.html just uses https// ....

@RobeDevOps

This comment has been minimized.

RobeDevOps commented Jan 16, 2015

I have my own gem repository. When I run bundle-audit I see this:

Insecure Source URI found: http://gems.vc.datys.cu/
Unpatched versions found!

how do I solved this ?

@indirect

This comment has been minimized.

Member

indirect commented Jan 16, 2015

@RobeDevOps this isn't a support forum, and we don't make bundle-audit. Try Stack Overflow.

@vassilevsky

This comment has been minimized.

Contributor

vassilevsky commented Jan 16, 2015

I'm pretty sure that you need to change the line to:

source 'https://gems.vc.datys.cu/'

pfac added a commit to semetpt/semet.pt that referenced this issue Feb 27, 2016

Fix insecure source URI error
Why:

* CodeClimate marks the error `Insecure Source URI found:
git://github.com/middleman-contrib/middleman-deploy.git` in
`Gemfile.lock`. According to bundler/bundler#3324 this happens because
the default for GitHub linked gems is to include the link using the
Git scheme.

This change addresses the problem by:

* Changing the `middleman-deploy` gem to be included using HTTPS.

pfac added a commit to semetpt/semet.pt that referenced this issue Feb 27, 2016

Fix insecure source URI error
Why:

* CodeClimate marks the error `Insecure Source URI found:
git://github.com/middleman-contrib/middleman-deploy.git` in
`Gemfile.lock`. According to bundler/bundler#3324 this happens because
the default for GitHub linked gems is to include the link using the
Git scheme.
* Since the `middleman-deploy` gem is not up to date, we need to use the
current version on master. Relying on someone else's repository directly
is brittle. We forked the repository for safety so we need to change it
to our branch.

This change addresses the problem by:

* Changing the `middleman-deploy` gem to be included from our repository
using HTTPS.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment