Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

leiningen.exec/deps fails with TLS error #26

Closed
edvorg opened this issue Oct 20, 2017 · 6 comments
Closed

leiningen.exec/deps fails with TLS error #26

edvorg opened this issue Oct 20, 2017 · 6 comments

Comments

@edvorg
Copy link
Contributor

edvorg commented Oct 20, 2017
edited
Loading

Hi, strangely I get following error

Tried to use insecure HTTP repository without TLS.
This is almost certainly a mistake; however in rare cases where it's
intentional please see `lein help faq` for details.

when executing code

(exec/deps '[[clj-http "3.4.1"]
             [cheshire "5.6.3"]
             [com.taoensso/timbre "4.7.4"]])

While lein itself has no issues with fetching dependencies.
@edvorg
Copy link
Contributor Author

edvorg commented Oct 20, 2017
edited
Loading

Debugged this function

(defn deps
  "Pull `the-deps` dependencies from Maven Central and Clojars. This is a
  convenience function for scripts executed by this plugin.
  Example:
    (use '[leiningen.exec :only (deps)])
    (deps '[[compojure \"1.0.1\"]
            [org.clojure/java.jdbc \"0.1.0\"]]
          :repositories {\"jboss\" \"https://repository.jboss.org/nexus/content/repositories/\"})"
  [the-deps & {:keys [repositories]}]
  (let [{:keys [local-repo mirrors]} (:user (project/init-project (project/read-profiles nil)))]
    (pome/add-dependencies
      :coordinates  the-deps
      :repositories (merge cemerick.pomegranate.aether/maven-central
                           {"clojars" "http://clojars.org/repo"}
                           repositories)
      :local-repo local-repo
      :mirrors mirrors)))

Seems like

  1. There is hardcoded http repo for clojure
  2. Pomegranade has hardcoded http repo for maven central

Not sure how it worked before, but should these repos have https links instead?

@edvorg
Copy link
Contributor Author

edvorg commented Oct 20, 2017
edited
Loading

Currently I solved it like this

(exec/deps '[[clj-http "3.4.1"]
             [cheshire "5.6.3"]
             [com.taoensso/timbre "4.7.4"]]
           :repositories {"central" "https://repo1.maven.org/maven2/"
                          "clojars" "https://clojars.org/repo"})

But I think it would be nice to have more secure defaults in lein-exec itself, no?

@kumarshantanu
Copy link
Owner

Thanks for the report. Strangely, I do not see the errors when exec'ing the same code with Lein 2.7.1 and lein-exec 0.3.6. Which version of Leiningen and lein-exec are you using?

@edvorg
Copy link
Contributor Author

edvorg commented Oct 26, 2017
edited
Loading

lein-exec 0.3.6 and leiningen 2.7.1 on linux manjaro

@edvorg
Copy link
Contributor Author

edvorg commented Oct 26, 2017

Anyway there is clearly unsafe link hardcoded in the projects code, which allows mim attacks. I can prepare a PR which fixes that problem.

@kumarshantanu
Copy link
Owner

Anyway there is clearly unsafe link hardcoded in the projects code, which allows mim attacks. I can prepare a PR which fixes that problem.

@edvorg True. Happy to receive a PR.

kumarshantanu added a commit that referenced this issue Oct 27, 2017
@kumarshantanu
Merge pull request #27 from edvorg/master
10f2505 
use https for clojars repo fix #26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kumarshantanu @edvorg