Squashed 'package-build/' changes from 2e17b08e..01246e73

01246e73 Prevent fetching from git using an insecure protocol

git-subtree-dir: package-build
git-subtree-split: 01246e739da2eded6e007631861cada633302faa

package-build.el

@@ -156,6 +156,13 @@ The string in the capture group should be parsed as valid by `version-to-list'."
   :group 'package-build
   :type 'string)
 
+(defcustom package-build-allowed-git-protocols '("https" "file" "ssh")
+  "Protocols that can be used to fetch from upstream with git.
+By default insecure protocols, such as \"http\" or \"git\", are
+disallowed."
+  :group 'package-build
+  :type '(repeat string))
+
 ;;; Generic Utilities
 
 (defun package-build--message (format-string &rest args)
@@ -286,7 +293,10 @@ is used instead."
 
 (cl-defmethod package-build--checkout ((rcp package-git-recipe))
   (let ((dir (package-recipe--working-tree rcp))
-        (url (package-recipe--upstream-url rcp)))
+        (url (package-recipe--upstream-url rcp))
+        (protocol (package-recipe--upstream-protocol rcp)))
+    (unless (member protocol package-build-allowed-git-protocols)
+      (error "Fetching using the %s protocol is not allowed" protocol))
     (cond
      ((and (file-exists-p (expand-file-name ".git" dir))
            (string-equal (package-build--used-url rcp) url))

package-recipe.el

@@ -29,6 +29,7 @@
 ;;; Code:
 
 (require 'eieio)
+(require 'url-parse)
 
 (defvar package-build-recipes-dir)
 (defvar package-build-working-dir)
@@ -60,6 +61,13 @@
       (format (oref rcp url-format)
               (oref rcp repo))))
 
+(cl-defmethod package-recipe--upstream-protocol ((rcp package-recipe))
+  (let ((url (package-recipe--upstream-url rcp)))
+    (cond ((string-match "\\`\\([a-z]+\\)://" url)
+           (match-string 1 url))
+          ((string-match "\\`[^:/ ]+:" url) "ssh")
+          (t "file"))))
+
 (cl-defmethod package-recipe--fetcher ((rcp package-recipe))
   (substring (symbol-name (eieio-object-class rcp)) 8 -7))